Social engineering / phishing | Latest Threats | Microsoft Security Blog

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

Microsoft Threat Intelligence — Wed, 15 May 2024 16:00:00 +0000

June 2024 update: At the end of May 2024, Microsoft Threat Intelligence observed Storm-1811 using Microsoft Teams as another vector to contact target users. Microsoft assesses that the threat actor uses Teams to send messages and initiate calls in an attempt to impersonate IT or help desk personnel. This activity leads to Quick Assist misuse, followed by credential theft using EvilProxy, execution of batch scripts, and use of SystemBC for persistence and command and control.

Since mid-April 2024, Microsoft Threat Intelligence has observed the threat actor Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks. Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware. The observed activity begins with impersonation through voice phishing (vishing), followed by delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware.

MITIGATE THIS THREAT

Get recommendations

Quick Assist is an application that enables a user to share their Windows or macOS device with another person over a remote connection. This enables the connecting user to remotely connect to the receiving user’s device and view its display, make annotations, or take full control, typically for troubleshooting. Threat actors misuse Quick Assist features to perform social engineering attacks by pretending, for example, to be a trusted contact like Microsoft technical support or an IT professional from the target user’s company to gain initial access to a target device.

RANSOMWARE AS A SERVICE

Protect users and orgs

In addition to protecting customers from observed malicious activity, Microsoft is investigating the use of Quick Assist in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in Quick Assist to alert users about possible tech support scams. Microsoft Defender for Endpoint detects components of activity originating from Quick Assist sessions as well as follow-on activity, and Microsoft Defender Antivirus detects the malware components associated with this activity.

TECH SUPPORT SCAMS

Report scam

Organizations can also reduce the risk of attacks by blocking or uninstalling Quick Assist and other remote management tools if the tools are not in use in their environment. Quick Assist is installed by default on devices running Windows 11. Additionally, tech support scams are an industry-wide issue where scammers use scare tactics to trick users into unnecessary technical support services. Educating users on how to recognize such scams can significantly reduce the impact of social engineering attacks.

One of the social engineering techniques used by threat actors to obtain initial access to target devices using Quick Assist is through vishing attacks. Vishing attacks are a form of social engineering that involves callers luring targets into revealing sensitive information under false pretenses or tricking targets into carrying out actions on behalf of the caller.

For example, threat actors might attempt to impersonate IT or help desk personnel, pretending to conduct generic fixes on a device. In other cases, threat actors initiate link listing attacks – a type of email bombing attack, where threat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content. Following the email flood, the threat actor impersonates IT support through phone calls to the target user, claiming to offer assistance in remediating the spam issue.

At the end of May 2024, Microsoft observed Storm-1811 using Microsoft Teams to send messages to and call target users. Tenants created by the threat actor are used to impersonate help desk personnel with names displayed as “Help Desk”, “Help Desk IT”, “Help Desk Support”, and “IT Support”. Microsoft has taken action to mitigate this by suspending identified accounts and tenants associated with inauthentic behavior. Apply security best practices for Microsoft Teams to safeguard Teams users.

During the call, the threat actor persuades the user to grant them access to their device through Quick Assist. The target user only needs to press CTRL + Windows + Q and enter the security code provided by the threat actor, as shown in the figure below.

Figure 1. Quick Assist prompt to enter security code

After the target enters the security code, they receive a dialog box asking for permission to allow screen sharing. Selecting Allow shares the user’s screen with the actor.

Figure 2. Quick Assist dialog box asking permission to allow screen sharing

Once in the session, the threat actor can select Request Control, which if approved by the target, grants the actor full control of the target’s device.

Figure 3. Quick Assist dialog box asking permission to allow control

Follow-on activity leading to Black Basta ransomware

Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads. Some of the batch scripts observed reference installing fake spam filter updates requiring the targets to provide sign-in credentials. In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike.

Figure 4. Examples of cURL commands to download batch files and ZIP files

Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment. In this recent activity, Qakbot was used to deliver a Cobalt Strike Beacon attributed to Storm-1811.

ScreenConnect was used to establish persistence and conduct lateral movement within the compromised environment. NetSupport Manager is a remote access tool used by multiple threat actors to maintain control over compromised devices. An attacker might use this tool to remotely access the device, download and install additional malware, and launch arbitrary commands.

The mentioned RMM tools are commonly used by threat actors because of their extensive capabilities and ability to blend in with the environment. In some cases, the actors leveraged the OpenSSH tunneling tool to establish a secure shell (SSH) tunnel for persistence.

After the threat actor installs the initial tooling and the phone call is concluded, Storm-1811 leverages their access and performs further hands-on-keyboard activities such as domain enumeration and lateral movement.

In cases where Storm-1811 relies on Teams messages followed by phone calls and remote access through Quick Assist, the threat actor uses BITSAdmin to download batch files and ZIP files from a malicious site, for example antispam3[.]com. Storm-1811 also provides the target user with malicious links that redirect the user to an EvilProxy phishing site to input credentials. EvilProxy is an adversary-in-the-middle (AiTM) phishing kit used to capture passwords, hijack a user’s sign-in session, and skip the authentication process. Storm-1811 was also observed deploying SystemBC, a post-compromise commodity remote access trojan (RAT) and proxy tool typically used to establish command-and-control communication, establish persistence in a compromised environment, and deploy follow-on malware, notably ransomware.

In several cases, Storm-1811 uses PsExec to deploy Black Basta ransomware throughout the network. Black Basta is a closed ransomware offering (exclusive and not openly marketed like ransomware as a service) distributed by a small number of threat actors who typically rely on other threat actors for initial access, malicious infrastructure, and malware development. Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from Qakbot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat. In the next sections, we share recommendations for improving defenses against this threat, including best practices when using Quick Assist and mitigations for reducing the impact of Black Basta and other ransomware.

Recommendations

Microsoft recommends the following best practices to protect users and organizations from attacks and threat actors that misuse Quick Assist:

Consider blocking or uninstalling Quick Assist and other remote monitoring and management tools if these tools are not in use in your environment. If your organization utilizes another remote support tool such as Remote Help, block or remove Quick Assist as a best practice. Remote Help is part of the Microsoft Intune Suite and provides authentication and security controls for helpdesk connections.
Educate users about protecting themselves from tech support scams. Tech support scams are an industry-wide issue where scammers use scary tactics to trick users into unnecessary technical support services.
Only allow a helper to connect to your device using Quick Assist if you initiated the interaction by contacting Microsoft Support or your IT support staff directly. Don’t provide access to anyone claiming to have an urgent need to access your device.
If you suspect that the person connecting to your device is conducting malicious activity, disconnect from the session immediately and report to your local authorities and/or any relevant IT members within your organization.
Users who have been affected by a tech support scam can also use the Microsoft technical support scam form to report it.

Microsoft recommends the following mitigations to reduce the impact of this threat:

Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.
Educate users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent through instant messaging applications or social networks as well as suspicious phone calls.
Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. Microsoft Defender for Office 365 brings together incident and alert management across email, devices, and identities, centralizing investigations for email-based threats.
Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
Apply Microsoft’s security best practices for Microsoft Teams to safeguard Teams users.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
Turn on tamper protection features to prevent attackers from stopping security services.
Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.

Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques:

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects Qakbot downloaders, implants, and behavior as the following malware:

Black Basta threat components are detected as the following:

Microsoft Defender Antivirus detects Beacon running on a victim process as the following:

Additional Cobalt Strike components are detected as the following:

SystemBC components are detected as:

Microsoft Defender for Endpoint

Alerts with the following title in the security center can indicate threat activity on your network:

Suspicious activity using Quick Assist

The following alerts might also indicate activity related to this threat. Note, however, that these alerts can also be triggered by unrelated threat activity.

Suspicious curl behavior
Suspicious bitsadmin activity
Suspicious file creation by BITSAdmin tool
A file or network connection related to a ransomware-linked emerging threat activity group detected —This alert captures Storm-1811 activity
Ransomware-linked emerging threat activity group Storm-0303 detected — This alert captures some Qakbot distributor activity
Possible Qakbot activity
Possible NetSupport Manager activity
Possibly malicious use of proxy or tunneling tool
Suspicious usage of remote management software
Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
Human-operated attack using Cobalt Strike
Human-operated attack implant tool detected
Ransomware behavior detected in the file system

Indicators of compromise

Domain names:

upd7a[.]com
upd7[.]com
upd9[.]com
upd5[.]pro
antispam3[.]com
antispam2[.]com

SHA-256:

71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8
0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0
1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30
93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7
1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb

ScreenConnect relay:

instance-olqdnn-relay.screenconnect[.]com

NetSupport C2:

greekpool[.]com

Cobalt Strike Beacon C2:

zziveastnews[.]com
realsepnews[.]com

Advanced hunting

Microsoft Defender XDR

To locate possible malicious activity, run the following query in the Microsoft Defender portal:

This query looks for possible email bombing activity:

EmailEvents
| where EmailDirection == "Inbound"
| make-series Emailcount = count()
              on Timestamp step 1h by RecipientObjectId
| extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)
| mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp
| where Anomalies != 0
| where AnomalyScore >= 10

This query looks for possible Teams phishing activity.

let suspiciousUpns = DeviceProcessEvents
| where DeviceId == "alertedMachine"
| where isnotempty(InitiatingProcessAccountUpn)
| project InitiatingProcessAccountUpn;
CloudAppEvents
| where Application == "Microsoft Teams"
| where ActionType == "ChatCreated"
| where isempty(AccountObjectId)
| where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
| where RawEventData.CommunicationType == "OneonOne"
| where RawEventData.ParticipantInfo.HasGuestUsers == false
| where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
| where RawEventData.Members[0].DisplayName in ("Microsoft  Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
| where AccountId has "@"
| extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
| where TargetUPN in (suspiciousUpns)

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of hunting queries available in Sentinel GitHub repo or as part of Sentinel solutions that customers can use to detect the activity detailed in this blog in addition to Microsoft Defender detections. These hunting queries include the following:

Qakbot:

Qakbot hunting queries

Cobalt Strike:

References

Defense and Mitigations from E-mail Bombing. U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Threat actors misusing Quick Assist in social engineering attacks leading to ransomware appeared first on Microsoft Security Blog.

Staying ahead of threat actors in the age of AI

Microsoft Threat Intelligence — Wed, 14 Feb 2024 12:00:00 +0000

Over the last year, the speed, scale, and sophistication of attacks has increased alongside the rapid development and adoption of AI. Defenders are only beginning to recognize and apply the power of generative AI to shift the cybersecurity balance in their favor and keep ahead of adversaries. At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors, including prompt-injections, attempted misuse of large language models (LLM), and fraud. Our analysis of the current use of LLM technology by threat actors revealed behaviors consistent with attackers using AI as another productivity tool on the offensive landscape. You can read OpenAI’s blog on the research here. Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse techniques resulting from threat actors’ usage of AI. However, Microsoft and our partners continue to study this landscape closely.

The objective of Microsoft’s partnership with OpenAI, including the release of this research, is to ensure the safe and responsible use of AI technologies like ChatGPT, upholding the highest standards of ethical application to protect the community from potential misuse. As part of this commitment, we have taken measures to disrupt assets and accounts associated with threat actors, improve the protection of OpenAI LLM technology and users from attack or abuse, and shape the guardrails and safety mechanisms around our models. In addition, we are also deeply committed to using generative AI to disrupt threat actors and leverage the power of new tools, including Microsoft Copilot for Security, to elevate defenders everywhere.

A principled approach to detecting and blocking threat actors

The progress of technology creates a demand for strong cybersecurity and safety measures. For example, the White House’s Executive Order on AI requires rigorous safety testing and government supervision for AI systems that have major impacts on national and economic security or public health and safety. Our actions enhancing the safeguards of our AI models and partnering with our ecosystem on the safe creation, implementation, and use of these models align with the Executive Order’s request for comprehensive AI safety and security standards.

In line with Microsoft’s leadership across AI and cybersecurity, today we are announcing principles shaping Microsoft’s policy and actions mitigating the risks associated with the use of our AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates we track.

These principles include:

Identification and action against malicious threat actors’ use: Upon detection of the use of any Microsoft AI application programming interfaces (APIs), services, or systems by an identified malicious threat actor, including nation-state APT or APM, or the cybercrime syndicates we track, Microsoft will take appropriate action to disrupt their activities, such as disabling the accounts used, terminating services, or limiting access to resources.

Notification to other AI service providers: When we detect a threat actor’s use of another service provider’s AI, AI APIs, services, and/or systems, Microsoft will promptly notify the service provider and share relevant data. This enables the service provider to independently verify our findings and take action in accordance with their own policies.

Collaboration with other stakeholders: Microsoft will collaborate with other stakeholders to regularly exchange information about detected threat actors’ use of AI. This collaboration aims to promote collective, consistent, and effective responses to ecosystem-wide risks.

Transparency: As part of our ongoing efforts to advance responsible use of AI, Microsoft will inform the public and stakeholders about actions taken under these threat actor principles, including the nature and extent of threat actors’ use of AI detected within our systems and the measures taken against them, as appropriate.

Microsoft remains committed to responsible AI innovation, prioritizing the safety and integrity of our technologies with respect for human rights and ethical standards. These principles announced today build on Microsoft’s Responsible AI practices, our voluntary commitments to advance responsible AI innovation and the Azure OpenAI Code of Conduct. We are following these principles as part of our broader commitments to strengthening international law and norms and to advance the goals of the Bletchley Declaration endorsed by 29 countries.

Microsoft and OpenAI’s complementary defenses protect AI platforms

Because Microsoft and OpenAI’s partnership extends to security, the companies can take action when known and emerging threat actors surface. Microsoft Threat Intelligence tracks more than 300 unique threat actors, including 160 nation-state actors, 50 ransomware groups, and many others. These adversaries employ various digital identities and attack infrastructures. Microsoft’s experts and automated systems continually analyze and correlate these attributes, uncovering attackers’ efforts to evade detection or expand their capabilities by leveraging new technologies. Consistent with preventing threat actors’ actions across our technologies and working closely with partners, Microsoft continues to study threat actors’ use of AI and LLMs, partner with OpenAI to monitor attack activity, and apply what we learn to continually improve defenses. This blog provides an overview of observed activities collected from known threat actor infrastructure as identified by Microsoft Threat Intelligence, then shared with OpenAI to identify potential malicious use or abuse of their platform and protect our mutual customers from future threats or harm.

Recognizing the rapid growth of AI and emergent use of LLMs in cyber operations, we continue to work with MITRE to integrate these LLM-themed tactics, techniques, and procedures (TTPs) into the MITRE ATT&CK® framework or MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) knowledgebase. This strategic expansion reflects a commitment to not only track and neutralize threats, but also to pioneer the development of countermeasures in the evolving landscape of AI-powered cyber operations. A full list of the LLM-themed TTPs, which include those we identified during our investigations, is summarized in the appendix.

Summary of Microsoft and OpenAI’s findings and threat intelligence

The threat ecosystem over the last several years has revealed a consistent theme of threat actors following trends in technology in parallel with their defender counterparts. Threat actors, like defenders, are looking at AI, including LLMs, to enhance their productivity and take advantage of accessible platforms that could advance their objectives and attack techniques. Cybercrime groups, nation-state threat actors, and other adversaries are exploring and testing different AI technologies as they emerge, in an attempt to understand potential value to their operations and the security controls they may need to circumvent. On the defender side, hardening these same security controls from attacks and implementing equally sophisticated monitoring that anticipates and blocks malicious activity is vital.

While different threat actors’ motives and complexity vary, they have common tasks to perform in the course of targeting and attacks. These include reconnaissance, such as learning about potential victims’ industries, locations, and relationships; help with coding, including improving things like software scripts and malware development; and assistance with learning and using native languages. Language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets’ jobs, professional networks, and other relationships.

Importantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely. At the same time, we feel this is important research to publish to expose early-stage, incremental moves that we observe well-known threat actors attempting, and share information on how we are blocking and countering them with the defender community.

While attackers will remain interested in AI and probe technologies’ current capabilities and security controls, it’s important to keep these risks in context. As always, hygiene practices such as multifactor authentication (MFA) and Zero Trust defenses are essential because attackers may use AI-based tools to improve their existing cyberattacks that rely on social engineering and finding unsecured devices and accounts.

The threat actors profiled below are a sample of observed activity we believe best represents the TTPs the industry will need to better track using MITRE ATT&CK® framework or MITRE ATLAS™ knowledgebase updates.

Forest Blizzard

Forest Blizzard (STRONTIUM) is a Russian military intelligence actor linked to GRU Unit 26165, who has targeted victims of both tactical and strategic interest to the Russian government. Their activities span across a variety of sectors including defense, transportation/logistics, government, energy, non-governmental organizations (NGO), and information technology. Forest Blizzard has been extremely active in targeting organizations in and related to Russia’s war in Ukraine throughout the duration of the conflict, and Microsoft assesses that Forest Blizzard operations play a significant supporting role to Russia’s foreign policy and military objectives both in Ukraine and in the broader international community. Forest Blizzard overlaps with the threat actor tracked by other researchers as APT28 and Fancy Bear.

Forest Blizzard’s use of LLMs has involved research into various satellite and radar technologies that may pertain to conventional military operations in Ukraine, as well as generic research aimed at supporting their cyber operations. Based on these observations, we map and classify these TTPs using the following descriptions:

LLM-informed reconnaissance: Interacting with LLMs to understand satellite communication protocols, radar imaging technologies, and specific technical parameters. These queries suggest an attempt to acquire in-depth knowledge of satellite capabilities.
LLM-enhanced scripting techniques: Seeking assistance in basic scripting tasks, including file manipulation, data selection, regular expressions, and multiprocessing, to potentially automate or optimize technical operations.

Microsoft observed engagement from Forest Blizzard that were representative of an adversary exploring the use cases of a new technology. All accounts and assets associated with Forest Blizzard have been disabled.

Emerald Sleet

Emerald Sleet (THALLIUM) is a North Korean threat actor that has remained highly active throughout 2023. Their recent operations relied on spear-phishing emails to compromise and gather intelligence from prominent individuals with expertise on North Korea. Microsoft observed Emerald Sleet impersonating reputable academic institutions and NGOs to lure victims into replying with expert insights and commentary about foreign policies related to North Korea. Emerald Sleet overlaps with threat actors tracked by other researchers as Kimsuky and Velvet Chollima.

Emerald Sleet’s use of LLMs has been in support of this activity and involved research into think tanks and experts on North Korea, as well as the generation of content likely to be used in spear-phishing campaigns. Emerald Sleet also interacted with LLMs to understand publicly known vulnerabilities, to troubleshoot technical issues, and for assistance with using various web technologies. Based on these observations, we map and classify these TTPs using the following descriptions:

LLM-assisted vulnerability research: Interacting with LLMs to better understand publicly reported vulnerabilities, such as the CVE-2022-30190 Microsoft Support Diagnostic Tool (MSDT) vulnerability (known as “Follina”).
LLM-enhanced scripting techniques: Using LLMs for basic scripting tasks such as programmatically identifying certain user events on a system and seeking assistance with troubleshooting and understanding various web technologies.
LLM-supported social engineering: Using LLMs for assistance with the drafting and generation of content that would likely be for use in spear-phishing campaigns against individuals with regional expertise.
LLM-informed reconnaissance: Interacting with LLMs to identify think tanks, government organizations, or experts on North Korea that have a focus on defense issues or North Korea’s nuclear weapon’s program.

All accounts and assets associated with Emerald Sleet have been disabled.

Crimson Sandstorm

Crimson Sandstorm (CURIUM) is an Iranian threat actor assessed to be connected to the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2017, Crimson Sandstorm has targeted multiple sectors, including defense, maritime shipping, transportation, healthcare, and technology. These operations have frequently relied on watering hole attacks and social engineering to deliver custom .NET malware. Prior research also identified custom Crimson Sandstorm malware using email-based command-and-control (C2) channels. Crimson Sandstorm overlaps with the threat actor tracked by other researchers as Tortoiseshell, Imperial Kitten, and Yellow Liderc.

The use of LLMs by Crimson Sandstorm has reflected the broader behaviors that the security community has observed from this threat actor. Interactions have involved requests for support around social engineering, assistance in troubleshooting errors, .NET development, and ways in which an attacker might evade detection when on a compromised machine. Based on these observations, we map and classify these TTPs using the following descriptions:

LLM-supported social engineering: Interacting with LLMs to generate various phishing emails, including one pretending to come from an international development agency and another attempting to lure prominent feminists to an attacker-built website on feminism.
LLM-enhanced scripting techniques: Using LLMs to generate code snippets that appear intended to support app and web development, interactions with remote servers, web scraping, executing tasks when users sign in, and sending information from a system via email.
LLM-enhanced anomaly detection evasion: Attempting to use LLMs for assistance in developing code to evade detection, to learn how to disable antivirus via registry or Windows policies, and to delete files in a directory after an application has been closed.

All accounts and assets associated with Crimson Sandstorm have been disabled.

Charcoal Typhoon

Charcoal Typhoon (CHROMIUM) is a Chinese state-affiliated threat actor with a broad operational scope. They are known for targeting sectors that include government, higher education, communications infrastructure, oil & gas, and information technology. Their activities have predominantly focused on entities within Taiwan, Thailand, Mongolia, Malaysia, France, and Nepal, with observed interests extending to institutions and individuals globally who oppose China’s policies. Charcoal Typhoon overlaps with the threat actor tracked by other researchers as Aquatic Panda, ControlX, RedHotel, and BRONZE UNIVERSITY.

In recent operations, Charcoal Typhoon has been observed interacting with LLMs in ways that suggest a limited exploration of how LLMs can augment their technical operations. This has consisted of using LLMs to support tooling development, scripting, understanding various commodity cybersecurity tools, and for generating content that could be used to social engineer targets. Based on these observations, we map and classify these TTPs using the following descriptions:

LLM-informed reconnaissance: Engaging LLMs to research and understand specific technologies, platforms, and vulnerabilities, indicative of preliminary information-gathering stages.
LLM-enhanced scripting techniques: Utilizing LLMs to generate and refine scripts, potentially to streamline and automate complex cyber tasks and operations.
LLM-supported social engineering: Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
LLM-refined operational command techniques: Utilizing LLMs for advanced commands, deeper system access, and control representative of post-compromise behavior.

All associated accounts and assets of Charcoal Typhoon have been disabled, reaffirming our commitment to safeguarding against the misuse of AI technologies.

Salmon Typhoon

Salmon Typhoon (SODIUM) is a sophisticated Chinese state-affiliated threat actor with a history of targeting US defense contractors, government agencies, and entities within the cryptographic technology sector. This threat actor has demonstrated its capabilities through the deployment of malware, such as Win32/Wkysol, to maintain remote access to compromised systems. With over a decade of operations marked by intermittent periods of dormancy and resurgence, Salmon Typhoon has recently shown renewed activity. Salmon Typhoon overlaps with the threat actor tracked by other researchers as APT4 and Maverick Panda.

Notably, Salmon Typhoon’s interactions with LLMs throughout 2023 appear exploratory and suggest that this threat actor is evaluating the effectiveness of LLMs in sourcing information on potentially sensitive topics, high profile individuals, regional geopolitics, US influence, and internal affairs. This tentative engagement with LLMs could reflect both a broadening of their intelligence-gathering toolkit and an experimental phase in assessing the capabilities of emerging technologies.

Based on these observations, we map and classify these TTPs using the following descriptions:

LLM-informed reconnaissance: Engaging LLMs for queries on a diverse array of subjects, such as global intelligence agencies, domestic concerns, notable individuals, cybersecurity matters, topics of strategic interest, and various threat actors. These interactions mirror the use of a search engine for public domain research.
LLM-enhanced scripting techniques: Using LLMs to identify and resolve coding errors. Requests for support in developing code with potential malicious intent were observed by Microsoft, and it was noted that the model adhered to established ethical guidelines, declining to provide such assistance.
LLM-refined operational command techniques: Demonstrating an interest in specific file types and concealment tactics within operating systems, indicative of an effort to refine operational command execution.
LLM-aided technical translation and explanation: Leveraging LLMs for the translation of computing terms and technical papers.

Salmon Typhoon’s engagement with LLMs aligns with patterns observed by Microsoft, reflecting traditional behaviors in a new technological arena. In response, all accounts and assets associated with Salmon Typhoon have been disabled.

In closing, AI technologies will continue to evolve and be studied by various threat actors. Microsoft will continue to track threat actors and malicious activity misusing LLMs, and work with OpenAI and other partners to share intelligence, improve protections for customers and aid the broader security community.

Appendix: LLM-themed TTPs

Using insights from our analysis above, as well as other potential misuse of AI, we’re sharing the below list of LLM-themed TTPs that we map and classify to the MITRE ATT&CK® framework or MITRE ATLAS™ knowledgebase to equip the community with a common taxonomy to collectively track malicious use of LLMs and create countermeasures against:

LLM-informed reconnaissance: Employing LLMs to gather actionable intelligence on technologies and potential vulnerabilities.
LLM-enhanced scripting techniques: Utilizing LLMs to generate or refine scripts that could be used in cyberattacks, or for basic scripting tasks such as programmatically identifying certain user events on a system and assistance with troubleshooting and understanding various web technologies.
LLM-aided development: Utilizing LLMs in the development lifecycle of tools and programs, including those with malicious intent, such as malware.
LLM-supported social engineering: Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
LLM-assisted vulnerability research: Using LLMs to understand and identify potential vulnerabilities in software and systems, which could be targeted for exploitation.
LLM-optimized payload crafting: Using LLMs to assist in creating and refining payloads for deployment in cyberattacks.
LLM-enhanced anomaly detection evasion: Leveraging LLMs to develop methods that help malicious activities blend in with normal behavior or traffic to evade detection systems.
LLM-directed security feature bypass: Using LLMs to find ways to circumvent security features, such as two-factor authentication, CAPTCHA, or other access controls.
LLM-advised resource development: Using LLMs in tool development, tool modifications, and strategic operational planning.

Learn more

Read the sixth edition of Cyber Signals, spotlighting how we are protecting AI platforms from emerging threats related to nation-state cyberthreat actors: Navigating cyberthreats and strengthening defenses in the era of AI.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post Staying ahead of threat actors in the age of AI appeared first on Microsoft Security Blog.

New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs

Microsoft Threat Intelligence — Wed, 17 Jan 2024 17:00:00 +0000

Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.

Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails. In some instances of this campaign, this subgroup also used legitimate but compromised accounts to send phishing lures. Additionally, Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection.

Mint Sandstorm (which overlaps with the threat actor tracked by other researchers as APT35 and Charming Kitten) is a composite name used to describe several subgroups of activity with ties to the Islamic Revolutionary Guard Corps (IRGC), an intelligence arm of Iran’s military. Microsoft attributes the activity detailed in this blog to a technically and operationally mature subgroup of Mint Sandstorm that specializes in gaining access to and stealing sensitive information from high-value targets. This group is known to conduct resource-intensive social engineering campaigns that target journalists, researchers, professors, or other individuals with insights or perspective on security and policy issues of interest to Tehran.

These individuals, who work with or who have the potential to influence the intelligence and policy communities, are attractive targets for adversaries seeking to collect intelligence for the states that sponsor their activity, such as the Islamic Republic of Iran. Based on the identities of the targets observed in this campaign and the use of lures related to the Israel-Hamas war, it’s possible this campaign is an attempt to gather perspectives on events related to the war from individuals across the ideological spectrum.

In this blog, we share our analysis of the new Mint Sandstorm tradecraft and provide detection, hunting, and protection information. Organizations can also use the mitigations included in this blog to harden their attack surfaces against the tradecraft observed in this and other Mint Sandstorm campaigns. These mitigations are high-value measures that are effective ways to defend organizations from multiple threats, including Mint Sandstorm, and are useful to any organization regardless of their threat model.

New Mint Sandstorm tradecraft

Microsoft observed new tactics, techniques, and procedures (TTPs) in this Mint Sandstorm campaign, notably the use of legitimate but compromised email accounts to send phishing lures, use of the Client for URL (curl) command to connect to Mint Sandstorm’s command-and-control (C2) server and download malicious files, and delivery of a new custom backdoor, MediaPl.

In this campaign, Mint Sandstorm masqueraded as high-profile individuals including as a journalist at a reputable news outlet. In some cases, the threat actor used an email address spoofed to resemble a personal email account belonging to the journalist they sought to impersonate and sent benign emails to targets requesting their input on an article about the Israel-Hamas war. In other cases, Mint Sandstorm used legitimate but compromised email accounts belonging to the individuals they sought to impersonate. Initial email messages did not contain any malicious content.

This tradecraft, namely the impersonation of a known individual, the use of highly bespoke phishing lures, and the use of wholly benign messages in the initial stages of the campaign, is likely an attempt to build rapport with targets and establish a level of trust before attempting to deliver malicious content to targets. Additionally, it’s likely that the use of legitimate but compromised email accounts, observed in a subset of this campaign, further bolstered Mint Sandstorm’s credibility, and might have played a role in the success of this campaign.

Delivery

If targets agreed to review the article or document referenced in the initial email, Mint Sandstorm followed up with an email containing a link to a malicious domain. In this campaign, follow up messages directed targets to sites such as cloud-document-edit[.]onrender[.]com, a domain hosting a RAR archive (.rar) file that purported to contain the draft document targets were asked to review. If opened, this .rar file decompressed into a double extension file (.pdf.lnk) with the same name. When launched, the .pdf.lnk file ran a curl command to retrieve a series of malicious files from attacker-controlled subdomains of glitch[.]me and supabase[.]co.

Microsoft observed multiple files downloaded to targets’ devices in this campaign, notably several .vbs scripts. In several instances, Microsoft observed a renamed version of NirCmd, a legitimate command line tool that allows a user to carry out a number of actions on a device without displaying a user interface, on a target’s device.

Persistence

In some cases, the threat actor used a malicious file, Persistence.vbs, to persist in targets’ environments. When run, Persistence.vbs added a file, typically named a.vbs, to the CurrentVersion\Run registry key. In other cases, Mint Sandstorm created a scheduled task to reach out to an attacker-controlled supabase[.]co domain and download a .txt file.

Figure 1. Intrusion chain leading to backdoors observed in the ongoing Mint Sandstorm campaign

Collection

Activity observed in this campaign suggests that Mint Sandstorm wrote activity from targets’ devices to a series of text files, notably one named documentLoger.txt.

In addition to the activity detailed above, in some cases, Mint Sandstorm dropped MischiefTut or MediaPl, custom backdoors.

MediaPl backdoor

MediaPl is a custom backdoor capable of sending encrypted communications to its C2 server. MediaPl is configured to masquerade as Windows Media Player, an application used to store and play audio and video files. To this end, Mint Sandstorm typically drops this file in C:\\Users\\[REDACTED] \\AppData\\Local\\Microsoft\\Media Player\\MediaPl.dll. When MediaPl.dll is run with the path of an image file provided as an argument, it launches the image in Windows Photo application and also parses the image for C2 information. Communications to and from MediaPl’s C2 server are AES CBC encrypted and Base64 encoded. As of this writing, MediaPl can terminate itself, can pause and retry communications with its C2 server, and launch command(s) it has received from the C2 using the _popen function.

MischiefTut

MischiefTut is a custom backdoor implemented in PowerShell with a set of basic capabilities. MischiefTut can run reconnaissance commands, write outputs to a text file and, ostensibly, send outputs back to adversary-controlled infrastructure. MischiefTut can also be used to download additional tools on a compromised system.

Implications

The ability to obtain and maintain remote access to a target’s system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system. Compromise of a targeted system can also create legal and reputational risks for organizations affected by this campaign. In light of the patience, resources, and skills observed in campaigns attributed to this subgroup of Mint Sandstorm, Microsoft continues to update and augment our detection capabilities to help customers defend against this threat.

Recommendations

Microsoft recommends the following mitigations to reduce the impact of activity associated with recent Mint Sandstorm campaigns.

Use the Attack Simulator in Microsoft Defender for Office 365 to organize realistic, yet safe, simulated phishing and password attack campaigns in your organization by training end-users against clicking URLs in unsolicited messages and disclosing their credentials. Training should include checking for poor spelling and grammar in phishing emails or the application’s consent screen as well as spoofed app names, logos and domain URLs appearing to originate from legitimate applications or companies. Note that Attack Simulator testing only supports phishing emails containing links at this time.
Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Turn on network protection to block connections to malicious domains and IP addresses.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.

Microsoft Defender XDR customers can also turn on attack surface reduction rules to harden their environments against techniques used by this Mint Sandstorm subgroup. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant protection against the tradecraft discussed in this report.

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects activity associated with the MediaPl backdoor as the following malware:

Backdoor:Win64/Eyeglass.A

Microsoft Defender Antivirus detects activity associated with the MischiefTut backdoor as the following malware:

Behavior:Win32/MischiefTut

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint provides customers with detections and alerts. Alerts with the following titles in the Security Center can indicate threat activity related to Mint Sandstorm.

Possible Mint Sandstorm activity
Anomaly detected in ASEP registry

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft Defender XDR Threat analytics

Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets

Indicators of compromise

Organizations who fit the targeting model discussed in this report can hunt for the following indicators of compromise in their environments.

Domains

east-healthy-dress[.]glitch[.]me
coral-polydactyl-dragonfruit[.]glitch[.]me
kwhfibejjyxregxmnpcs[.]supabase[.]co
epibvgvoszemkwjnplyc[.]supabase[.]co
ndrrftqrlblfecpupppp[.]supabase[.]co
cloud-document-edit[.]onrender[.]com

Files

MediaPl.dll (SHA-256: f2dec56acef275a0e987844e98afcc44bf8b83b4661e83f89c6a2a72c5811d5f)

Advanced hunting

Microsoft Defender XDR

Curl command used to retrieve malicious files

Use this query to locate the curl command Mint Sandstorm used to pull down malicious files in this campaign.

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all('id=',
'&Prog') and InitiatingProcessCommandLine has_any('vbs', '--ssl')

Creation of log files

Use this query to identify files created by Mint Sandstorm, ostensibly for exfiltration.

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all('powershell', '$pnt', 'Get-Content', 'gcm') and InitiatingProcessCommandLine has_any('documentLog', 'documentLoger', 'Logdocument')

Files with double file name extensions

Use this query to find files with double extension, e.g., .pdf.lnk.

DeviceFileEvents
| where FileName endswith ".pdf.lnk"

Registry keys with VBScript

Use this query to find registry run keys entry with VBScript in value

DeviceRegistryEvents
| where ActionType == "RegistryValueSet" or ActionType == "RegistryKeyCreated"
| where RegistryKey endswith @"\Software\Microsoft\Windows\CurrentVersion\Run" or 
RegistryKey endswith @"\Software\Microsoft\Windows\CurrentVersion\RunOnce" or
RegistryKey endswith @"\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
| where RegistryValueData has_any ("vbscript",".vbs")

Microsoft Sentinel

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs appeared first on Microsoft Security Blog.

Financially motivated threat actors misusing App Installer

Microsoft Threat Intelligence — Thu, 28 Dec 2023 18:00:00 +0000

Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware. In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default.

The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution. Multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software. A second vector of phishing through Microsoft Teams is also in use by Storm-1674.

Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.

In this blog, we provide an analysis of activity by financially motivated threat actors abusing App Installer observed since mid-November 2023.

Threat actors abusing App Installer since mid-November 2023

Microsoft Threat intelligence observed several actors—including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674—using App Installer as a point of entry for human-operated ransomware activity. The observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files.

Storm-0569

At the beginning of December 2023, Microsoft observed Storm-0569 distributing BATLOADER through search engine optimization (SEO) poisoning with sites spoofing legitimate software downloads such as Zoom, Tableau, TeamViewer, and AnyDesk. Users who search for a legitimate software application on Bing or Google may be presented with a landing page spoofing the original software provider’s landing pages that include links to malicious installers through the ms-appinstaller protocol. Spoofing and impersonating popular legitimate software is a common social engineering tactic. These software are not affected by the attacks directly, but this information can help users better spot malicious spoofing by threat actors.

Figure 1. A malicious landing page spoofing Zoom accessed via malicious search engine advertisement for Zoom downloads

Figure 2. Sample malicious App Installer experience. Note the Publisher is not who a user should expect to be publishing this software.

Users who click the links to the installers are presented with the desktop App Installer experience. If the user clicks “Install” in the desktop App Installer, the malicious application is installed and eventually runs additional processes and scripts that lead to malware installation.

Storm-0569 then uses PowerShell and batch scripts that lead to the download of BATLOADER. In one observed instance, Storm-0569’s BATLOADER dropped a Cobalt Strike Beacon followed by data exfiltration using the Rclone data exfiltration tools and Black Basta ransomware deployment by Storm-0506.

Storm-0569 is an access broker that focuses on downloading post-compromise payloads, such as BATLOADER, through malvertising and phishing emails containing malicious links to download sites. The threat actor also provides malicious installers and landing page frameworks to other actors. They cover multiple infection chains that typically begin with maliciously signed Microsoft Installer (MSI) files posing as legitimate software installations or updates for applications such as TeamViewer, Zoom, and AnyDesk. Storm-0569 infection chains have led to additional dropped payloads, including IcedID, Cobalt Strike Beacon, and remote monitoring and management (RMM) tools, culminating in a handoff to ransomware operators like Storm-0846 and Storm-0506.

Storm-1113

Since mid-November 2023, Microsoft observed Storm-1113’s EugenLoader delivered through search advertisements mimicking the Zoom app. Once a user accesses a compromised website, a malicious MSIX installer (EugenLoader) is downloaded on a device and used to deliver additional payloads. These payloads could include previously observed malware installs, such as Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Manager (also referred to as NetSupport RAT), Sectop RAT, and Lumma stealer.

Storm-1113 is a threat actor that acts both as an access broker focused on malware distribution through search advertisements and as an “as-a-service” entity providing malicious installers and landing page frameworks. In Storm-1113 malware distribution campaigns, users are directed to landing pages mimicking well-known software that host installers, often MSI files, that lead to the installation of malicious payloads. Storm-1113 is also the developer of EugenLoader, a commodity malware first observed around November 2022.

Sangria Tempest

In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113’s EugenLoader delivered through malicious MSIX package installations. Sangria Tempest then drops Carbanak, a backdoor used by the actor since 2014, that in turn delivers the Gracewire malware implant. In other cases, Sangria Tempest uses Google ads to lure users into downloading malicious MSIX application packages—possibly relying on Storm-1113 infrastructure—leading to the delivery of POWERTRASH, a highly obfuscated PowerShell script. POWERTRASH is then used to load NetSupport and Gracewire, a malware typically affiliated with the threat actor Lace Tempest, whom Sangria Tempest has cooperated with in past intrusions.

Sangria Tempest (previously ELBRUS, also tracked as Carbon Spider, FIN7) is a financially motivated cybercriminal group currently focusing on conducting intrusions that often lead to data theft, followed by targeted extortion or ransomware deployment such as Clop ransomware.

Storm-1674

Since the beginning of December 2023, Microsoft identified instances where Storm-1674 delivered fake landing pages through messages delivered using Teams. The landing pages spoof Microsoft services like OneDrive and SharePoint, as well as other companies. Tenants created by the threat actor are used to create meetings and send chat messages to potential victims using the meeting’s chat functionality.

Figure 3. Landing page pretending to be a SharePoint site for a spoofed employment opportunity site; target users are led to this landing page via malicious URLs sent via Teams messages.

Figure 4. Fake error the user receives when clicking on any of the PDFs in the SharePoint. Clicking OK invokes ms-appinstaller.

Figure 5. Sample malicious App Installer experience. Note the Publisher is not who a user should expect to be publishing Adobe software.

Figure 6. Malicious landing page pretending to be a networking security tool; target users are led to this landing page via malicious URLs sent via Teams messages.

Figure 7. Sample JavaScript invokes ms-appinstaller handler from malicious landing page at time of user click.

Figure 8. Sample malicious App Installer experience. Note the Publisher is not who a user should expect to be publishing this software.

The user is then lured into downloading spoofed applications like the ones shown in figures 5 and 8, which will likely drop SectopRAT or DarkGate. In these cases, Storm-1674 was using malicious installers and landing page frameworks provided by Storm-1113.

Microsoft assesses this technique was used to avoid the accept/block screen shown in one-on-one and group chats. The Teams client now shows an accept/block screen for meeting chats sent by an external user.

Microsoft has taken action to mitigate the spread of malware from confirmed malicious tenants by blocking their ability to send messages thus cutting off the main method used for phishing.

Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.

Recommendations

The ms-appinstaller URI scheme handler has been disabled by default in App Installer build 1.21.3421.0. Refer to the Microsoft Security Response Blog for App Installer protection tips.

Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

Pilot and deploy phishing-resistant authentication methods for users.
Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
Apply Microsoft’s security best practices for Microsoft Teams to safeguard Teams users.
Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
Educate users to use the browser URL navigator to validate that upon clicking a link in search results they have arrived at an expected legitimate domain.
Educate users to verify that the software that is being installed is expected to be published by a legitimate publisher.
Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
Turn on PUA protection in block mode.
Turn on attack surface reduction rules to prevent common attack techniques:
- Use advanced protection against ransomware Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Appendix

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the malware listed below. Enterprise customers managing updates should select the detection build 1.403.520.0 or newer and deploy it across their environments.

Microsoft Defender Antivirus detects associated post-compromise activity as the following:

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

An executable loaded an unexpected dll
A process was injected with potentially malicious code
Suspicious sequence of exploration activities
Activity that might lead to information stealer
Possible theft of passwords and other sensitive web browser information

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

A file or network connection related to ransomware-linked actor Storm-0569 detected
Storm-1113 threat actor detected
Ransomware-linked Sangria Tempest threat activity group detected
Potential BATLOADER activity
Potential IcedID activity
Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
Human-operated attack using Cobalt Strike
Possible POWERTRASH loader activity
Carbanak backdoor detected

Microsoft Defender for Office 365

Microsoft Defender for Office 365 detects malicious activity associated with this threat.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, and respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft 365 Defender Threat analytics

Hunting queries

Microsoft Defender XDR

Use this query to review all the ms-appinstaller protocol handler invoked network connections in your environment.

DeviceNetworkEvents
| where InitiatingProcessCommandLine == '"AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca'  and RemoteUrl has_any ("https://", "http://")

Indicators of compromise

Storm-0569 indicators related to App Installer abuse

SHA-256

48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e
11b71429869f29122236a44a292fde3f0269cde8eb76a52c89139f79f4b97e63
7e646dfe7b7f330cb21db07b94f611eb39f604fab36e347fb884f797ba462402
ffb45dc14ea908b21e01e87ec18725dff560c093884005c2b71277e2de354866
b79633917e51da2a4401473d08719f493d61fd64a1b10fe482c12d984d791ccb

URLs

hxxps://scheta[.]site/api.store/ZoomInstaller.msix
hxxps://scheta[.]site/api.store/Setup.msix

Domain names

teannviewer.ithr[.]org
tab1eu.ithr[.]org
amydeks.ithr[.]org
zoonn.ithr[.]org
scheta[.]site
tnetworkslicense[.]ru
1204knos[.]ru
1204networks[.]ru
abobe.ithr[.]org

Storm-0506 Cobalt Strike beacon C2:

gertefin[.]com
septcntr[.]com

Storm-1113 indicators related to App Installer abuse

SHA-256

44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5

Domain names

info-zoomapp[.]com
zoonn[.]meetlng[.]group

Sangria Tempest indicators related to App Installer abuse

Domain names

storageplace[.]pro
sun1[.]space

SHA-256

2ba527fb8e31cb209df8d1890a63cda9cd4433aa0b841ed8b86fa801aff4ccbd
06b4aebbc3cd62e0aadd1852102645f9a00cc7eea492c0939675efba7566a6de

Storm-1674 indicators related to App Installer abuse

SHA-256

2ed5660c7b768b4c2a7899d00773af60cd4396f24a2f7d643ccc1bf74a403970

Domain names:

nixonpeabody[.]tech-department[.]us
amgreetings[.]tech-department[.]us
cbre[.]tech-department[.]us
tech-department[.]us
kellyservices-hr[.]com
hubergroup[.]tech-department[.]us
formeld[.]tech-department[.]us
kellyhrservices-my[.]sharepoint[.]com
kellyserviceshr-my[.]sharepoint[.]com
kellyservicesrecruitmentdep-my[.]sharepoint[.]com
kellyservicesheadhunter-my[.]sharepoint[.]com
mckinseyhrcompany-my[.]sharepoint[.]com
webmicrosoftservicesystem[.]com
perimeter81support-my[.]sharepoint[.]com
cabotcorpsupport-my[.]sharepoint[.]com

References

Threat actors misuse OAuth applications to automate financially driven attacks

Microsoft Threat Intelligence — Tue, 12 Dec 2023 18:00:00 +0000

Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. OAuth is an open standard for token-based authentication and authorization that enables applications to get access to data and resources based on permissions set by a user. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account.

In attacks observed by Microsoft Threat Intelligence, threat actors launched phishing or password spraying attacks to compromise user accounts that did not have strong authentication mechanisms and had permissions to create or modify OAuth applications. The threat actors misused the OAuth applications with high privilege permissions to deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name.

Microsoft continuously tracks attacks that misuse of OAuth applications for a wide range of malicious activity. This visibility enhances the detection of malicious OAuth applications via Microsoft Defender for Cloud Apps and prevents compromised user accounts from accessing resources via Microsoft Defender XDR and Microsoft Entra Identity Protection. In this blog post, we present cases where threat actors compromised user accounts and misused OAuth applications for their financially driven attacks, outline recommendations for organizations to mitigate such attacks, and provide detailed information on how Microsoft detects related activity:

OAuth applications to deploy VMs for cryptomining

Microsoft observed the threat actor tracked as Storm-1283 using a compromised user account to create an OAuth application and deploy VMs for cryptomining. The compromised account allowed Storm-1283 to sign in via virtual private network (VPN), create a new single-tenant OAuth application in Microsoft Entra ID named similarly as the Microsoft Entra ID tenant domain name, and add a set of secrets to the application. As the compromised account had an ownership role on an Azure subscription, the actor also granted ‘Contributor’ role permission for the application to one of the active subscriptions using the compromised account.

The actor also leveraged existing line-of-business (LOB) OAuth applications that the compromised user account had access to in the tenant by adding an additional set of credentials to those applications. The actor initially deployed a small set of VMs in the same compromised subscriptions using one of the existing applications and initiated the cryptomining activity. The actor then later returned to deploy more VMs using the new application. Targeted organizations incurred compute fees ranging from 10,000 to 1.5 million USD from the attacks, depending on the actor’s activity and duration of the attack.

Storm-1283 looked to maintain the setup as long as possible to increase the chance of successful cryptomining activity. We assess that, for this reason, the actor used the naming convention [DOMAINNAME]_[ZONENAME]_[1-9] (the tenant name followed by the region name) for the VMs to avoid suspicion.

Figure 1. OAuth application for cryptocurrency mining attack chain

Microsoft Threat Intelligence analysts were able to detect the threat actor’s actions and worked with the Microsoft Entra team to block the OAuth applications that were part of this attack. Affected organizations were also informed of the activity and recommended further actions.

OAuth applications for BEC and phishing

In another attack observed by Microsoft, a threat actor compromised user accounts and created OAuth applications to maintain persistence and to launch email phishing activity. The threat actor used an adversary-in-the-middle (AiTM) phishing kit to send a significant number of emails with varying subject lines and URLs to target user accounts in multiple organizations. In AiTM attacks, threat actors attempt to steal session tokens from their targets by sending phishing emails with a malicious URL that leads to a proxy server that facilitates a genuine authentication process.

Figure 2. Snippet of sample phishing email sent by the threat actor

We observed the following email subjects used in the phishing emails:

shared “ contracts” with you.
shared “” with you.
OneDrive: You have received a new document today
Mailbox password expiry
Mailbox password expiry
You have Encrypted message
Encrypted message received

After the targets clicked the malicious URL in the email, they were redirected to the Microsoft sign-in page that was proxied by the threat actor’s proxy server. The proxy server set up by the threat actor allowed them to steal the token from the user’s session cookie. Later, the stolen token was leveraged to perform session cookie replay activity. Microsoft was able to confirm during further investigation that the compromised user account was flagged for risky sign-ins when the account was used to sign in from an unfamiliar location and from an uncommon user agent.

For persistence following business email compromise

In some cases, following the stolen session cookie replay activity, the actor leveraged the compromised user account to perform BEC financial fraud reconnaissance by opening email attachments in Microsoft Outlook Web Application (OWA) that contain specific keywords such as “payment” and “invoice”. This action typically precedes financial fraud attacks where the threat actor seeks out financial conversations and attempts to socially engineer one party to modify payment information to an account under attacker control.

Figure 3. Attack chain for OAuth application misuse following BEC

Later, to maintain persistence and carry out malicious actions, the threat actor created an OAuth application using the compromised user account. The actor then operated under the compromised user account session to add new credentials to the OAuth application.

For email phishing activity

In other cases, instead of performing BEC reconnaissance, the threat actor created multitenant OAuth applications following the stolen session cookie replay activity. The threat actor used the OAuth applications to maintain persistence, add new credentials, and then access Microsoft Graph API resource to read emails or send phishing emails.

Figure 4. Attack chain for OAuth application misuse for phishing

At the time of analysis, we observed that threat actor created around 17,000 multitenant OAuth applications across different tenants using multiple compromised user accounts. The created applications mostly had two different sets of application metadata properties, such as display name and scope:

Malicious multitenant OAuth applications with the display name set as “oauth” were granted permissions “user.read; mail.readwrite; email; profile; openid; mail.read; people.read” and access to Microsoft Graph API and read emails.
Malicious multitenant OAuth applications with the display name set as “App” were granted permissions “user.read; mail.readwrite; email; profile; openid; mail.send” and access to Microsoft Graph API to send high volumes of phishing emails to both intra-organizational and external organizations.

Figure 5. Sample phishing email sent by the malicious OAuth application

In addition, we observed that the threat actor, before using the OAuth applications to send phishing emails, leveraged the compromised user accounts to create inbox rules with suspicious rule names like “…” to move emails to the junk folder and mark them as read. This is to evade detection by the compromised user that the account was used to send phishing emails.

Figure 6. Inbox rule created by the threat actor using the compromised user account

Based on the email telemetry, we observed that the malicious OAuth applications created by the threat actor sent more than 927,000 phishing emails. Microsoft has taken down all the malicious OAuth applications found related to this campaign, which ran from July to November 2023.

OAuth applications for spamming activity

Microsoft also observed large-scale spamming activity through OAuth applications by a threat actor tracked as Storm-1286. The actor launched password spraying attacks to compromise user accounts, the majority of which did not have multifactor authentication (MFA) enabled. We also observed the user agent BAV2ROPC in the sign-in activities related to the compromised accounts, which indicated the use of legacy authentication protocols such as IMAP and SMTP that do not support MFA.

We observed the actor using the compromised user accounts to create anywhere from one to three new OAuth applications in the targeted organization using Azure PowerShell or a Swagger Codegen-based client. The threat actor then granted consent to the applications using the compromised accounts. These applications were set with permissions like email, profile, openid, Mail.Send, User.Read and Mail.Read, which allowed the actor to control the mailbox and send thousands of emails a day using the compromised user account and the organization domain. In some cases, the actor waited for months after the initial access and setting up of OAuth applications before starting the spam activity using the applications. The actor also used legitimate domains to avoid phishing and spamming detectors.

Figure 7. Attack chain for large-scale spam using OAuth applications

In previous large-scale spam activities, we observed threat actors attempting to compromise admin accounts without MFA and create new LOB applications with high administrative permissions to abuse Microsoft Exchange Online and spread spam. While the activity of the actor then was limited due to actions taken by Microsoft Threat Intelligence such as blocking clusters of the OAuth applications in the past, Storm-1286 continues to try new ways to set a similar high-scale spamming platform in victim organizations by using non-privileged users.

Mitigation steps

Microsoft recommends the following mitigations to reduce the impact of these types of threats.

Mitigate credential guessing attacks risks

A key step in reducing the attack surface is securing the identity infrastructure. The most common initial access vector observed in this attack was account compromise through credential stuffing, phishing, and reverse proxy (AiTM) phishing. In most cases the compromised accounts did not have MFA enabled. Implementing security practices that strengthen account credentials such as enabling MFA reduced the chance of attack dramatically.

Enable conditional access policies

Conditional access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies for User and Sign-in Risk, device compliance and trusted IP address requirements. If your organization has a Microsoft-Managed Conditional Access policy, make sure it is enforced.

Ensure continuous access evaluation is enabled

Continuous access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.

Enable security defaults

While some of the features mentioned above require paid subscriptions, the security defaults in Azure AD, which is mainly for organizations using the free tier of Azure Active Directory licensing, are sufficient to better protect the organizational identity platform, as they provide preconfigured security settings such as MFA, protection for privileged activities, and others.

Enable Microsoft Defender automatic attack disruption

Microsoft Defender automatic attack disruption capabilities minimize lateral movement and curbs the overall impact of an attack in its initial stages.

Audit apps and consented permissions

Audit apps and consented permissions in your organization ensure applications are only accessing necessary data and adhering to the principles of least privilege. Use Microsoft Defender for Cloud Apps and its app governance add-on for expanded visibility into cloud activity in your organization and control over applications that access your Microsoft 365 data.

Educate your organization on application permissions and data accessible by applications with respective permissions to identify malicious apps.

Enhance suspicious OAuth application investigation with the recommended approach to investigate and remediate risky OAuth apps.

Enable “Review admin consent requests” for forcing new applications review in the tenant.

In addition to the recommendations above, Microsoft has published incident response playbooks for App consent grant investigation and compromised and malicious applications investigation that defenders can use to respond quickly to related threats.

Secure Azure Cloud resources

Deploy MFA to all users, especially for tenant administrators and accounts with Azure VM Contributor privileges. Limit unused quota and monitor for unusual quota increases in your Azure subscriptions, with an emphasis on the resource’s originating creation or modification. Monitor for unexpected sign-in activity from IP addresses associated with free VPN services on high privilege accounts. Connect Microsoft Defender for Cloud Apps connector to ARM or use Microsoft Defender for ARM

With the rise of hybrid work, employees might use their personal or unmanaged devices to access corporate resources, leading to an increased possibility of token theft. To mitigate this risk, organizations can enhance their security measures by obtaining complete visibility into their users’ authentication methods and locations. Refer to the comprehensive blog post Token tactics: How to prevent, detect, and respond to cloud token theft.

Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Defender for Office 365 to recheck links upon time of click and delete sent mail in response to newly acquired threat intelligence. Turn on Safe Attachments policies to check attachments in inbound emails.

Detections for related techniques

Leveraging its cross-signal capabilities, Microsoft Defender XDR alerts customers using Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, Application governance add-on, Microsoft Defender for Cloud, and Microsoft Entra ID Protection to detect the techniques covered in the attack through the attack chain. Each product can provide a different aspect for protection to cover the techniques observed in this attack:

Microsoft Defender XDR

Microsoft Defender XDR detects threat components associated with the following activities:

User compromised in AiTM phishing attack
User compromised via a known AiTM phishing kit
BEC financial fraud-related reconnaissance
BEC financial fraud

Microsoft Defender for Cloud Apps

Using Microsoft Defender for Cloud Apps connectors for Microsoft 365 and Azure, Microsoft Defender XDR raises the following alerts:

Stolen session cookie was used
Activity from anonymous IP address
Activity from a password-spray associated IP address
User added or updated a suspicious OAuth app
Risky user created or updated an app that was observed creating a bulk of Azure virtual machines in a short interval
Risky user updated an app that accessed email and performed email activity through Graph API
Suspicious creation of OAuth app by compromised user
Suspicious secret addition to OAuth app followed by creation of Azure virtual machines
Suspicious OAuth app creation
Suspicious OAuth app email activity through Graph API
Suspicious OAuth app-related activity by compromised user
Suspicious user signed into a newly created OAuth app
Suspicious addition of OAuth app permissions
Suspicious inbox manipulation rule
Impossible travel activity
Multiple failed login attempts

App governance

App governance is an add-on to Microsoft Defender for Cloud Apps, which can detect malicious OAuth applications that make sensitive Exchange Online administrative activities along with other threat detection alerts. Activity related to this campaign triggers the following alerts:

Entra Line-of-Business app initiating an anomalous spike in virtual machine creation
OAuth app with high scope privileges in Microsoft Graph was observed initiating virtual machine creation
Suspicious OAuth app used to send numerous emails

To receive this alert, turn on app governance for Microsoft Defender for Cloud Apps.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 detects threat activity associated with this spamming campaign through the following email security alerts. Note, however, that these alerts may also be triggered by unrelated threat activity. We’re listing them here because we recommend that these alerts be investigated and remediated immediately.

A potentially malicious URL click was detected
A user clicked through to a potentially malicious URL
Suspicious email sending patterns detected
User restricted from sending email
Email sending limit exceeded

Microsoft Defender for Cloud

Microsoft Defender for Cloud detects threat components associated with the activities outlined in this article with the following alerts:

Azure Resource Manager operation from suspicious proxy IP address
Crypto-mining activity
Digital currency mining activity
Suspicious Azure role assignment detected
Suspicious creation of compute resources detected
Suspicious invocation of a high-risk ‘Execution’ operation by a service principal detected
Suspicious invocation of a high-risk ‘Execution’ operation detected
Suspicious invocation of a high-risk ‘Impact’ operation by a service principal detected

Microsoft Entra Identity Protection

Microsoft Entra Identity Protection detects the threats described with the following alerts:

Anomalous Token
Unfamiliar sign-in properties
Anonymous IP address
Verified threat actor IP
Atypical travel

Hunting guidance

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

OAuth application interacting with Azure workloads

let OAuthAppId = ;
CloudAppEvents
| where Timestamp >ago (7d)  
| where AccountId == OAuthAppId 
| where AccountType== "Application"
| extend Azure_Workloads = RawEventData["operationName"]
| distinct Azure_Workloads by AccountId

Password spray attempts

This query identifies failed sign-in attempts to Microsoft Exchange Online from multiple IP addresses and locations.

IdentityLogonEvents
| where Timestamp > ago(3d)
| where ActionType == "LogonFailed" and LogonType == "OAuth2:Token" and Application == "Microsoft Exchange Online"
| summarize count(), dcount(IPAddress), dcount(CountryCode) by AccountObjectId, AccountDisplayName, bin(Timestamp, 1h)

Suspicious application creation

This query finds new applications added in your tenant.

CloudAppEvents
| where ActionType in ("Add application.", "Add service principal.")
| mvexpand modifiedProperties = RawEventData.ModifiedProperties
| where modifiedProperties.Name == "AppAddress"
| extend AppAddress = tolower(extract('\"Address\": \"(.*)\",',1,tostring(modifiedProperties.NewValue)))
| mvexpand ExtendedProperties = RawEventData.ExtendedProperties
| where ExtendedProperties.Name == "additionalDetails"
| extend OAuthApplicationId = tolower(extract('\"AppId\":\"(.*)\"',1,tostring(ExtendedProperties.Value)))
| project Timestamp, ReportId, AccountObjectId, Application, ApplicationId, OAuthApplicationId, AppAddress

Suspicious email events

NOTE: These queries need to be updated with timestamps related to application creation time before running.

//Identify High Outbound Email Sender
EmailEvents 
| where Timestamp between ( .. ) //Timestamp from the app creation time to few hours upto 24 hours or more 
| where EmailDirection in ("Outbound") 
| project
    RecipientEmailAddress,
    SenderFromAddress,
    SenderMailFromAddress,
    SenderObjectId,
    NetworkMessageId 
| summarize
    RecipientCount = dcount(RecipientEmailAddress),
    UniqueEmailSentCount = dcount(NetworkMessageId)
    by SenderFromAddress, SenderMailFromAddress, SenderObjectId
| sort by UniqueEmailSentCount desc 
//| where UniqueEmailSentCount >  //Optional, return only if the sender sent more than the threshold
//| take 100 //Optional, return only top 100
 
//Identify Suspicious Outbound Email Sender
EmailEvents 
//| where Timestamp between ( .. ) //Timestamp from the app creation time to few hours upto 24 hours or more 
| where EmailDirection in ("Outbound") 
| project
    RecipientEmailAddress,
    SenderFromAddress,
    SenderMailFromAddress,
    SenderObjectId, 
    DetectionMethods,
    NetworkMessageId 
| summarize
    RecipientCount = dcount(RecipientEmailAddress),
    UniqueEmailSentCount = dcount(NetworkMessageId),
    SuspiciousEmailCount = dcountif(NetworkMessageId,isnotempty(DetectionMethods))
    by SenderFromAddress, SenderMailFromAddress, SenderObjectId
| extend SuspiciousEmailPercentage = SuspiciousEmailCount/UniqueEmailSentCount * 100 //Calculate the percentage of suspicious email compared to all email sent
| sort by SuspiciousEmailPercentage desc 
//| where UniqueEmailSentCount >  //Optional, return only if the sender suspicious email percentage is more than the threshold
//| take 100 //Optional, return only top 100

//Identify Recent Emails Sent by Restricted Email Sender
AlertEvidence
| where Title has "User restricted from sending email"
| project AccountObjectId //Identify the user who are restricted to send email
| join EmailEvents on $left.AccountObjectId == $right.SenderObjectId //Join information from Alert Evidence and Email Events
| project
    Timestamp,
    RecipientEmailAddress,
    SenderFromAddress,
    SenderMailFromAddress,
    SenderObjectId,
    SenderIPv4,
    Subject,
    UrlCount,
    AttachmentCount,
    DetectionMethods,
    AuthenticationDetails, 
    NetworkMessageId
| sort by Timestamp desc 
//| take 100 //Optional, return only first 100

BEC recon and OAuth application activity

//High and Medium risk SignIn activity
AADSignInEventsBeta
| where Timestamp >ago (7d)
| where ErrorCode==0
| where RiskLevelDuringSignIn >= 50
| project
    AccountUpn,
    AccountObjectId,
    SessionId,
    RiskLevelDuringSignIn,
    ApplicationId,
    Application

//Oauth Application creation or modification by user who has suspicious sign in activities
AADSignInEventsBeta
| where Timestamp >ago (7d)
| where ErrorCode == 0
| where RiskLevelDuringSignIn >= 50
| project SignInTime=AccountUpn, AccountObjectId, SessionId, RiskLevelDuringSignIn, ApplicationId, Application
| join kind=leftouter (CloudAppEvents | where Timestamp > ago(7d)
| where ActionType in ("Add application.", "Update application.", "Update application – Certificates and secrets management ")
| extend appId = tostring(parse_json(RawEventData.Target[4].ID))
| project
    Timestamp,
    ActionType,
    Application,
    ApplicationId,
    UserAgent,
    ISP,
    AccountObjectId,
    AppName=ObjectName,
    OauthApplicationId=appId,
    RawEventData ) on AccountObjectId
| where isnotempty(ActionType)

 
//Suspicious BEC reconnaisance activity 
let bec_keywords = pack_array("payment", "receipt", "invoice", "inventory"); 
let reconEvents = 
    CloudAppEvents
    | where Timestamp >ago (7d)
    | where ActionType in ("MailItemsAccessed", "Update")
    | where AccountObjectId in ("")
    | extend SessionId = tostring(parse_json(RawEventData.SessionId))
    | project
        Timestamp,
        ActionType,
        AccountObjectId,
        UserAgent,
        ISP,
        IPAddress,
        SessionId,
        RawEventData;
reconEvents;
let updateActions = reconEvents
    | where ActionType == "Update" 
    | extend Subject=tostring(RawEventData["Item"].Subject)
    | where isnotempty(Subject)
    | where Subject has_any (bec_keywords)
    | summarize UpdateCount=count() by bin (Timestamp, 15m), Subject, AccountObjectId, SessionId, IPAddress;
updateActions;
let mailItemsAccessedActions = reconEvents 
    | where ActionType == "MailItemsAccessed" 
    | extend OperationCount = toint(RawEventData["OperationCount"])
    | summarize TotalCount = sum(OperationCount) by bin (Timestamp, 15m), AccountObjectId, SessionId, IPAddress;
mailItemsAccessedActions;
 
//SignIn to newly created app within Risky Session
AADSignInEventsBeta
| where Timestamp >ago (7d) 
| where AccountObjectId in ("") and 
SessionId in ("")
| where ApplicationId in ("") // Recently added or modified App Id
| project
    AccountUpn,
    AccountObjectId,
    ApplicationId,
    Application,
    SessionId,
    RiskLevelDuringSignIn,
    RiskLevelAggregated,
    Country

// To check suspicious Mailbox rules
CloudAppEvents
| where Timestamp between (start .. end) //Timestamp from the app creation time to few hours, usually before spam emails sent
| where AccountObjectId in ("")
| where Application == "Microsoft Exchange Online"
| where ActionType in ("New-InboxRule", "Set-InboxRule", "Set-Mailbox", "Set-TransportRule", "New-TransportRule", "Enable-InboxRule", "UpdateInboxRules")
| where isnotempty(IPAddress)
| mvexpand ActivityObjects
| extend name = parse_json(ActivityObjects).Name
| extend value = parse_json(ActivityObjects).Value
| where name == "Name"
| extend RuleName = value 
| project Timestamp, ReportId, ActionType, AccountObjectId, IPAddress, ISP, RuleName

// To check any suspicious Url clicks from emails before risky signin by the user
UrlClickEvents
| where Timestamp between (start .. end) //Timestamp around time proximity of Risky signin by user
| where AccountUpn has "" and ActionType has "ClickAllowed"
| project Timestamp,Url,NetworkMessageId

// To fetch the suspicious email details
EmailEvents
| where Timestamp between (start .. end) //Timestamp lookback to be increased gradually to find the email received
| where EmailDirection has "Inbound"
| where RecipientEmailAddress has "" and NetworkMessageId == ""
| project SenderFromAddress,SenderMailFromAddress,SenderIPv4,SenderFromDomain, Subject,UrlCount,AttachmentCount
    
    
// To check if suspicious emails sent for spamming (with similar email subjects, urls etc.)
EmailEvents
| where Timestamp between (start .. end) //Timestamp from the app creation time to few hours upto 24 hours or more
| where EmailDirection in ("Outbound","Intra-org")
| where SenderFromAddress has ""  or SenderMailFromAddress has ""
| project RecipientEmailAddress,RecipientObjectId,SenderIPv4,SenderFromDomain, Subject,UrlCount,AttachmentCount,NetworkMessageId

Microsoft Sentinel

Analytic rules:

Hunting queries:

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post Threat actors misuse OAuth applications to automate financially driven attacks appeared first on Microsoft Security Blog.

Star Blizzard increases sophistication and evasion in ongoing attacks

Microsoft Threat Intelligence — Thu, 07 Dec 2023 12:01:00 +0000

Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard (formerly SEABORGIUM, also known as COLDRIVER and Callisto Group). Star Blizzard has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against the same targets. Star Blizzard, whose activities we assess to have historically supported both espionage and cyber influence objectives, continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests. Microsoft continues to refine and deploy protections against Star Blizzard’s evolving spear-phishing tactics.

Microsoft is grateful for the collaboration on investigating Star Blizzard compromises with the international cybersecurity community, including our partners at the UK National Cyber Security Centre, the US National Security Agency Cybersecurity Collaboration Center, and the US Federal Bureau of Investigation.

This blog provides updated technical information about Star Blizzard tactics, techniques, and procedures (TTPs), building on our 2022 blog as the actor continues to refine their tradecraft to evade detection. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

New TTPs: Evasion techniques

Based on our analysis of the actor’s TTPs since our previous blog in 2022, Star Blizzard has evolved to focus on improving its detection evasion capabilities. Microsoft has identified five new Star Blizzard evasive techniques:

Use of server-side scripts to prevent automated scanning of actor-controlled infrastructure.
Use of email marketing platform services to hide true email sender addresses and obviate the need for including actor-controlled domain infrastructure in email messages
Use of a DNS provider to obscure the IP addresses of actor-controlled virtual private server (VPS) infrastructure. Once notified, the DNS provider took action to mitigate actor-controlled domains abusing their service.
Password-protected PDF lures or links to cloud-based file-sharing platforms where PDF lures are hosted
Shifting to a more randomized domain generation algorithm (DGA) for actor-registered domains

Use of server-side scripts to prevent automated scanning

Beginning in April 2023, we observed Star Blizzard gradually move away from using hCaptcha servers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure. Redirection was still performed by an actor-controlled server, now first executing JavaScript code (titled “Collect and Send User Data”) before redirecting the browsing session to the Evilginx server.

Shortly after, in May 2023, the threat actor was observed refining the JavaScript code, resulting in an updated version (titled “Docs”), which is still in use today.

This capability collects various information from the browser performing the browsing session to the redirector server.

The code contains three main functions:

pluginsEmpty(): This function checks if the browser has any plugins installed.

isAutomationTool(): This function checks for various indicators that the page is being accessed by an automation tool (such as Selenium, PhantomJS, or Nightmare) and returns an object with information about the detected tools.

sendToBackend(data): This function sends the data collected by isAutomationTool() to the server using a POST request. If the server returns a response, the message in the response is executed using eval().

Following the POST request, the redirector server assesses the data collected from the browser and decides whether to allow continued browser redirection.

When a good verdict is reached, the browser receives a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server.

A bad verdict results in the receipt of an HTTP error response and no further redirection.

Figure 1. Content of POST request and server response using “Collect and Send User Data” JavaScript

Use of email marketing platform services

We have observed Star Blizzard using two different services, HubSpot and MailerLite. The actor uses these services to create an email campaign, which provides them with a dedicated subdomain on the service that is then used to create URLs. These URLs act as the entry point to a redirection chain ending at actor-controlled Evilginx server infrastructure. The services can also provide the user with a dedicated email address per configured email campaign, which the threat actor has been seen to use as the “From” address in their campaigns.

Most Star Blizzard HubSpot email campaigns have targeted multiple academic institutions, think tanks, and other research organizations using a common theme, aimed at obtaining their credentials for a US grants management portal. We assess that this use-case of the HubSpot mailing platform was to allow the threat actor to track large numbers of identical messages sent to multiple recipients. Note should be taken to the “Reply-to” address in these emails, which is required by the HubSpot platform to be an actual in-use account. All the sender accounts in the following examples are dedicated threat actor-controlled accounts.

Figure 2. Examples of themed spear-phishing email headers

Other HubSpot campaigns have been observed using the campaign URL embedded in an attached PDF lure or directly in the email body to perform redirection to actor-controlled Evilginx server infrastructure configured for email account credential theft. We assess that in these cases, the HubSpot platform was used to remove the need for including actor-controlled domain infrastructure in the spear-phishing emails and better evade detection based on indicators of compromise (IOC).

Figure 3. Example of victim redirection chain using initial HubSpot URL

Star Blizzard’s use of the MailerLite platform is similar to the second HubSpot tactic described above, with the observed campaign URL redirecting to actor-controlled infrastructure purposed for email credential theft.

Use of a DNS provider to resolve actor-controlled domain infrastructure

In December 2022, we began to observe Star Blizzard first using a domain name service (DNS) provider that also acts as a reverse proxy server to resolve actor-registered domain infrastructure. As of May 2023, most Star Blizzard registered domains associated with their redirector servers use a DNS provider to obscure the resolving IP addresses allocated to their dedicated VPS infrastructure.

We have yet to observe Star Blizzard utilizing a DNS provider to resolve domains used on Evilginx servers.

Password-protected PDF lures or links to cloud-based file-sharing platforms

Star Blizzard has been observed sending password-protected PDF lures in an attempt to evade email security processes implemented by defenders. The threat actor usually sends the password to open the file to the targeted user in the same or a subsequent email message.

In addition to password-protecting the PDF lures themselves, the actor has been observed hosting PDF lures at a cloud storage service and sharing a password-protected link to the file in a message sent to the intended victim. While Star Blizzard frequently uses cloud storage services from all major providers (including Microsoft OneDrive), Proton Drive is predominantly chosen for this purpose.

Microsoft suspends Star Blizzard operational accounts discovered using our platform for their spear-phishing activities.

Figure 4. Example of spear-phishing email with password protected link to Proton Drive

Randomizing DGA for actor registered domains

Following the detailed public reporting by Recorded Future (August 2023) on detection opportunities for Star Blizzard domain registrations, we have observed the threat actor making significant changes in their chosen domain naming syntax.

Prior to the public reporting, Star Blizzard utilized a limited wordlist for their DGA. Subsequently, Microsoft has observed that the threat actor has upgraded their domain-generating mechanism to include a more randomized list of words.

Despite the increased randomization, Microsoft has identified detection opportunities based on the following constant patterns in Star Blizzard domain registration behavior:

Namecheap remains the registrar of choice.
Domains are usually registered in groups, many times with similar naming conventions.
X.509 TLS certificates are provided by Let’s Encrypt, created in the same timeframe of domain registration.

Figure 5. Examples of X.509 TLS certificates used by Star Blizzard

A list of recent domain names registered by Star Blizzard can be found at the end of this report.

Consistent TTPs since 2022

Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts.

Star Blizzard continues to utilize the publicly available Evilginx framework to achieve their objective, with the initial access vector remaining to be spear-phishing via email. Target redirection to the threat actor’s Evilginx server infrastructure is still usually achieved using custom-built PDF lures that open a browser session. This session follows a redirection chain ending at actor-controlled Evilginx infrastructure that is configured with a “phishlet” for the intended targets’ email provider.

Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain.

Figure 6. Typical Star Blizzard redirection chain to Evilginx infrastructure

Protecting yourself against Star Blizzard

As with all threat actors that focus on phishing or spear-phishing to gain initial access to victim mailboxes, individual email users should be aware of who these attacks target and what they look like to improve their ability to identify and avoid further attacks.

The following are a list of answers to questions that enterprise and consumer email users should be asking about the threat from Star Blizzard:

Am I at risk of being a Star Blizzard target?

Users and organizations are more likely to be a potential Star Blizzard target if connected to the following areas:

Government or diplomacy (both incumbent and former position holders).
Research into defense policy or international relations when related to Russia.
Assistance to Ukraine related to the ongoing conflict with Russia.

Remember that Star Blizzard targets both consumer and enterprise accounts, so there is an equal threat to both organization and personal accounts.

What will a Star Blizzard spear-phishing email look like?

The email will appear to be from a known contact that users or organizations expect to receive email from. The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders (@proton.me, @protonmail.com) as they are frequently used by Star Blizzard.

An initial email will usually be sent asking to review a document, but without any attachment or link to the document.

The threat actor will wait for a response, and following that, will send an additional message with either an attached PDF file or a link to a PDF file hosted on a cloud storage platform. The PDF file will be unreadable, with a prominent button purporting to enable reading the content.

Figure 7. Examples of Star Blizzard PDF lures when opened

What happens if I interact with a Star Blizzard PDF lure?

Pressing the button in a PDF lure causes the default browser to open a link embedded in the PDF file code—this is the beginning of the redirection chain. Targets will likely see a web page titled “Docs” in the initial page opened and may be presented with a CAPTCHA to solve before continuing the redirection. The browsing session will end showing a sign-in screen to the account where the spear-phishing email was received, with the targeted email already appearing in the username field.

The host domain in the web address is an actor-controlled domain (see appendix for full list), and not the expected domain of the email server or cloud service.

If multifactor authentication is configured for a targeted email account, entering a password in the displayed sign-in screen will trigger an authentication approval request. If passwordless access is configured for the targeted account, an authentication approval request is immediately received on the device chosen for receiving authentication approvals.

As long as the authentication process is not completed (a valid password is not entered and/or an authentication request is not approved), the threat actor has not compromised the account.

If the authentication process is completed, the credentials have been successfully compromised by Star Blizzard, and the threat actor has all the required details needed to immediately access the mailbox, even if multifactor authentication is enabled.

Figure 8. Examples of Star Blizzard PDF lures when opened

Recommendations

As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

Microsoft emphasizes that the following two mitigations will strengthen customers’ environments against Star Blizzard attack activity:

Using phishing resistant authentication methods.
Lockdown account access using Conditional Access policies

Microsoft is sharing indicators of compromise related to this attack at the end of this report to encourage the security community to further investigate for potential signs of Star Blizzard activity using their security solution of choice. All these indicators have been incorporated into the threat intelligence feed that powers Microsoft Defender products to aid in protecting customers and mitigating this threat. If your organization is a Microsoft Defender for Office customer or a Microsoft Defender for Endpoint customer with network protection turned on, no further action is required to mitigate this threat presently. A thorough investigation should be performed to understand potential historical impact if Star Blizzard activity has been previously alerted on in the environment.

Additionally, Microsoft recommends the following mitigations to reduce the impact of this threat:

Use advanced anti-phishing solutions that monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that automatically identify and block malicious websites and provide solutions that detect and block malicious emails, links, and files.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-compromise.
Configure investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Use security defaults as a baseline set of policies to improve identity security posture. For more granular control, enable conditional access policies. Conditional access policies evaluate sign-in requests using additional identity driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.
Implement continuous access evaluation.
Continuously monitor suspicious or anomalous activities. Investigate sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, and use of anonymizer services).
Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Office 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
Use the Attack Simulator in Microsoft Defender for Office 365 to organize realistic, yet safe, simulated phishing and password attack campaigns in your organization by training end users against clicking URLs in unsolicited messages and disclosing their credentials. Training should include checking for poor spelling and grammar in phishing emails or the application’s consent screen as well as spoofed app names, logos, and domain URLs appearing to originate from legitimate applications or companies. Note that Attack Simulator testing only supports phishing emails containing links at this time.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques:
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
- Block execution of potentially obfuscated scripts.

Appendix

Microsoft Defender XDR detections

Microsoft Defender for Office 365

Microsoft Defender for Office offers enhanced solutions for blocking and identifying malicious emails. Signals from Microsoft Defender for Office inform Microsoft 365 Defender, which correlate cross-domain threat intelligence to deliver coordinated defense, when this threat has been detected. These alerts, however, can be triggered by unrelated threat activity. Example alerts:

A potentially malicious URL click was detected
Email messages containing malicious URL removed after delivery
Email messages removed after delivery
Email reported by user as malware or phish

Microsoft Defender SmartScreen

Microsoft Defender SmartScreen has implemented detections against the phishing domains represented in the IOC section below. By enabling Network protection, organizations can block attempts to connect to these malicious domains.

Microsoft Defender for Endpoint

Aside from the Microsoft Defender for Office 365 alerts above, customers can also monitor for the following Microsoft 365 Defender alerts for this attack. Note that these alerts can also be triggered by unrelated threat activity. Example alerts:

Star Blizzard activity group
Suspicious URL clicked
Suspicious URL opened in web browser
User accessed link in ZAP-quarantined email

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, and respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft 365 Defender Threat analytics

Threat Insights: Disrupting Star Blizzard’s ongoing phishing operations

Hunting queries

Microsoft Sentinel

Indicators of compromise

Star Blizzard domain infrastructure

Domain	Registered	Registrar	X.509 TLS Certificate Issuer	DNS provider resolving
centralitdef[.]com	2023/04/03 14:29:33	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
rootgatewayshome[.]com	2023/04/06 16:09:06	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
directstoragepro[.]com	2023/04/07 14:18:19	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
infocryptoweb[.]com	2023/04/07 14:44:38	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
cloudwebstorage[.]com	2023/04/09 14:13:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
cryptdatahub[.]com	2023/04/10 10:07:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
datainfosecure[.]com	2023/04/10 10:16:20	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
servershieldme[.]com	2023/04/11 07:32:41	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
scandefinform[.]com	2023/04/12 10:18:26	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
guardittech[.]com	2023/04/12 13:36:33	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
storageinfohub[.]com	2023/04/14 12:23:02	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
docsinfohub[.]com	2023/04/14 16:24:45	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
dbasechecker[.]com	2023/04/20 08:31:04	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
dbasecheck[.]com	2023/04/20 08:31:04	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
gaterecord[.]com	2023/04/25 14:17:14	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
directsgate[.]com	2023/04/25 14:17:14	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
storageinformationsolutions[.]com	2023/04/25 15:33:03	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
storagedatadirect[.]com	2023/04/25 15:33:05	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
informationdoorwaycertificate[.]com	2023/04/25 17:50:04	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
datagatewaydoc[.]com	2023/04/25 17:50:37	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
panelittechweb[.]com	2023/04/27 12:19:19	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
panelitsolution[.]com	2023/04/27 12:19:19	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
keeperdocument[.]com	2023/04/27 14:18:19	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
keeperdocumentgatewayhub[.]com	2023/04/27 14:18:25	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
docview[.]cloud	2023/05/03 06:33:44	Hostinger UAB	C=US, O=Let’s Encrypt, CN=R3
protectitbase[.]com	2023/05/03 09:07:33	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
webcatalogpro[.]com	2023/05/04 09:47:19	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
infoformdata[.]com	2023/05/04 13:13:56	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
keydatastorageunit[.]com	2023/05/10 09:20:39	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
docanalizergate[.]com	2023/05/10 15:23:14	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
docanalizerhub[.]com	2023/05/10 15:23:21	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
hubdatapage[.]com	2023/05/10 16:07:31	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
skyinformdata[.]com	2023/05/11 11:10:35	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
docsaccessdata[.]com	2023/05/11 12:35:02	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
datacryptosafe[.]com	2023/05/11 16:46:00	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
cloudsetupprofi[.]com	2023/05/12 15:35:42	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
setupprofi[.]com	2023/05/12 15:35:52	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
analyzedatainfo[.]com	2023/05/15 15:30:04	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
infocryptodata[.]com	2023/05/15 16:41:42	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
datadocsview[.]com	2023/05/16 13:23:38	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
gatedocsview[.]com	2023/05/16 13:23:42	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
hubinfodocs[.]com	2023/05/16 13:27:07	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
proffsolution[.]com	2023/05/16 14:20:42	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
proffitsolution[.]com	2023/05/16 14:20:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
defproresults[.]com	2023/05/16 14:20:49	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
greatnotifyinfo[.]com	2023/05/16 14:55:49	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
topnotifydata[.]com	2023/05/16 14:55:53	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
topinformdata[.]com	2023/05/16 14:55:58	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
defoffresult[.]com	2023/05/16 15:23:49	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
cloudinfodata[.]com	2023/05/16 15:23:52	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
webpartdata[.]com	2023/05/16 15:23:57	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
infostoragegate[.]com	2023/05/17 14:41:37	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
wardenstoragedoorway[.]com	2023/05/17 15:17:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
myposcheck[.]com	2023/05/25 08:52:50	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
poscheckdatacenter[.]com	2023/05/25 08:52:51	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
checkdatapos[.]com	2023/05/25 08:52:55	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
docdatares[.]com	2023/05/26 13:42:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
datawebhub[.]com	2023/05/26 16:28:34	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
cloudithub[.]com	2023/05/26 16:28:35	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
secitweb[.]com	2023/05/26 16:28:39	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
documentitsolution[.]com	2023/05/29 13:21:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
keeperinformation[.]com	2023/05/29 13:21:48	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
webprodata[.]com	2023/05/29 14:28:00	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
clouditprofi[.]com	2023/05/29 14:28:01	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
cryptoinfostorage[.]com	2023/05/29 14:34:41	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
rootinformationgateway[.]com	2023/05/29 14:34:41	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
gatewaydocumentdata[.]com	2023/06/01 14:49:07	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
gatewayitservices[.]com	2023/06/01 14:49:17	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
infoviewerdata[.]com	2023/06/01 14:59:51	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
infoviewergate[.]com	2023/06/01 14:59:51	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
webitresourse[.]com	2023/06/02 19:35:46	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
homedocsdata[.]com	2023/06/05 16:05:54	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
homedocsview[.]com	2023/06/05 16:06:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
webdataproceed[.]com	2023/06/08 17:29:54	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
directkeeperstorage[.]com	2023/06/12 15:47:55	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
gatewaykeeperinformation[.]com	2023/06/12 15:48:01	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
rootgatestorage[.]com	2023/06/12 16:46:02	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
documentinformationsolution[.]com	2023/06/12 16:46:04	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
getclouddoc[.]com	2023/06/14 10:56:38	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
statusfiles[.]com	2023/06/16 09:49:55	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
webstaticdata[.]com	2023/06/16 09:49:55	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
cloudwebfile[.]com	2023/06/16 09:49:59	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
statuswebcert[.]com	2023/06/16 10:29:57	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
nextgenexp[.]com	2023/06/16 10:29:57	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
informationkeeper[.]com	2023/06/16 14:48:40	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
documentgatekeeper[.]com	2023/06/16 14:48:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
cryptogatesolution[.]com	2023/06/16 15:32:31	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
rootgatewaystorage[.]com	2023/06/16 15:32:34	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
infoviewstorage[.]com	2023/06/22 12:34:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
infoconnectstorage[.]com	2023/06/22 12:34:18	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
infolookstorage[.]com	2023/06/22 13:53:04	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
judicialliquidators[.]com	2023/06/25 11:28:05	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
safetyagencyservice[.]com	2023/06/25 11:28:08	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
dynamiclnk[.]com	2023/06/27 13:20:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
temphoster[.]com	2023/06/27 13:20:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
documententranceintelligence[.]com	2023/06/27 17:13:49	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
documentgateprotector[.]com	2023/06/27 17:13:51	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
readinfodata[.]com	2023/06/28 16:09:46	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
readdatainform[.]com	2023/06/28 16:09:50	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
webcryptoinfo[.]com	2023/06/29 12:41:50	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
storageinfodata[.]com	2023/06/29 12:41:50	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
keeperdatastorage[.]com	2023/07/03 17:40:16	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
keepinformationroot[.]com	2023/07/03 17:40:21	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
keyservicebar[.]com	2023/07/05 13:25:41	PDR Ltd.	C=US, O=Let’s Encrypt, CN=R3
bitespacedev[.]com	2023/07/05 13:25:43	PDR Ltd.	C=US, O=Let’s Encrypt, CN=R3
cryptodocumentinformation[.]com	2023/07/05 15:04:46	PDR Ltd.	C=US, O=Let’s Encrypt, CN=R3
directdocumentinfo[.]com	2023/07/05 15:04:48	PDR Ltd.	C=US, O=Let’s Encrypt, CN=R3
techpenopen[.]com	2023/07/05 15:49:13	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
loginformationbreakthrough[.]com	2023/07/06 16:01:36	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
alldocssolution[.]com	2023/07/06 16:01:39	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
documentkeepersolutionsystems[.]com	2023/07/06 18:45:01	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
docholdersolution[.]com	2023/07/06 18:45:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
infodocitsolution[.]com	2023/07/07 11:00:59	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
securebrowssolution[.]com	2023/07/07 11:00:59	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
secbrowsingate[.]com	2023/07/07 11:18:09	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
secbrowsingsystems[.]com	2023/07/07 11:18:14	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
docguardmaterial[.]com	2023/07/10 11:38:40	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
dockeeperweb[.]com	2023/07/10 11:38:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
docsecgate[.]com	2023/07/11 13:27:59	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
documentsecsolution[.]com	2023/07/11 13:28:01	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
cryptogatehomes[.]com	2023/07/11 17:51:38	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
topcryptoprotect[.]com	2023/07/12 13:03:36	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
safedocumentgatesolution[.]com	2023/07/12 13:17:15	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
safedocitsolution[.]com	2023/07/12 13:17:23	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
docscontentview[.]com	2023/07/12 15:05:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
docscontentgate[.]com	2023/07/12 15:05:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
openprojectgate[.]com	2023/07/12 15:30:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
infowardendoc[.]com	2023/07/12 15:30:49	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
wardensecbreakthrough[.]com	2023/07/12 15:41:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
lawsystemjudgement[.]com	2023/07/12 15:41:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
explorewebdata[.]com	2023/07/13 08:12:07	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
doorwayseclaw[.]com	2023/07/13 13:22:18	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
entryloginpoint[.]com	2023/07/13 13:22:22	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
wardenlawsec[.]com	2023/07/13 14:12:32	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
entrygatebreak[.]com	2023/07/13 14:12:32	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
digitalworkdata[.]com	2023/07/13 15:00:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
digitalhubdata[.]com	2023/07/13 15:00:45	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
craftfilelink[.]com	2023/07/13 15:31:00	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
createtempdoc[.]com	2023/07/13 15:31:00	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
provideexplorer[.]com	2023/07/13 16:25:33	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
reviewopenfile[.]com	2023/07/13 16:25:34	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
govsafebreakthrough[.]com	2023/07/13 16:26:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
govlawentrance[.]com	2023/07/13 16:26:55	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
storagekeepdirect[.]com	2023/07/13 17:36:39	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
storageguarddirect[.]com	2023/07/13 17:36:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
storagekeeperexpress[.]com	2023/07/14 13:27:26	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
onestorageprotectordirect[.]com	2023/07/14 13:27:27	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
lawwardensafety[.]com	2023/07/14 13:41:52	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
entrancequick[.]com	2023/07/14 13:41:53	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
seclawdoorway[.]com	2023/07/14 15:28:39	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
wardengovermentlaw[.]com	2023/07/14 15:28:43	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
getvaluepast[.]com	2023/07/14 16:14:41	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
transferlinkdata[.]com	2023/07/14 16:14:41	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
remcemson[.]com	2023/07/26 11:25:48	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
osixmals[.]com	2023/07/26 11:25:56	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
entranceto[.]com	2023/07/28 12:26:15	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
govermentsecintro[.]com	2023/07/28 12:26:17	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
itbugreportbeta[.]com	2023/07/28 13:06:49	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
theitbugreportbeta[.]com	2023/07/28 13:06:49	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
sockintrodoorway[.]com	2023/07/28 13:21:41	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
maxintrosec[.]com	2023/07/28 13:21:42	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
doorgovcommunity[.]com	2023/07/28 15:11:40	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
tarentrycommunity[.]com	2023/07/28 15:11:40	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
webfigmadesignershop[.]com	2023/07/28 16:09:07	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
webfigmadesigner[.]com	2023/07/28 16:09:11	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
logincontrolway[.]com	2023/07/28 16:35:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
vertransmitcontrol[.]com	2023/07/28 16:35:44	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
everyinit[.]com	2023/08/09 13:56:51	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
aliceplants[.]com	2023/08/09 17:22:26	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
countingtall[.]com	2023/08/09 17:22:30	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
silenceprotocol[.]com	2023/08/10 12:32:10	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
mintwithapples[.]com	2023/08/10 12:32:15	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
winterholds[.]com	2023/08/10 12:53:29	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
ziplinetransfer[.]com	2023/08/10 16:47:53	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
translatesplit[.]com	2023/08/10 16:47:53	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
getfigmacreator[.]com	2023/08/11 13:13:20	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
postrequestin[.]com	2023/08/11 13:13:23	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
tarifjane[.]com	2023/08/17 14:05:41	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
configlayers[.]com	2023/08/17 14:05:48	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
winterhascometo[.]com	2023/08/17 16:21:43	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
inyourheadexp[.]com	2023/08/17 16:21:43	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
glorybuses[.]com	2023/08/18 15:27:40	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
janeairintroduction[.]com	2023/08/18 15:27:40	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
vikingonairplane[.]com	2023/08/18 16:19:48	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
marungame[.]com	2023/08/18 16:19:49	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
victorinwounder[.]com	2023/08/21 16:14:48	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
paneindestination[.]com	2023/08/21 16:15:02	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
trastamarafamily[.]com	2023/08/22 11:20:22	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
territoryedit[.]com	2023/08/22 11:20:24	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
vectorto[.]com	2023/08/24 09:40:49	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
johnysadventure[.]com	2023/08/24 09:40:54	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
paternenabler[.]com	2023/08/25 14:40:31	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
fastnamegenerator[.]com	2023/08/25 14:40:35	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
literallyandme[.]com	2023/08/28 13:21:33	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
andysalesproject[.]com	2023/08/28 13:21:34	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
pandawithrainbow[.]com	2023/08/28 17:08:58	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
natalyincity[.]com	2023/08/29 15:25:02	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
machinerelise[.]com	2023/09/01 16:29:09	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
industrialcorptruncate[.]com	2023/09/01 16:30:07	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
constructionholdingnewlife[.]com	2023/09/07 14:00:55	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
adventuresrebornpanda[.]com	2023/09/07 14:00:55	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
cryingpand[.]com	2023/09/13 13:10:40	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
industrialwatership[.]com	2023/09/13 13:10:41	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
olohaisland[.]com	2023/09/13 14:25:35	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
voodoomagician[.]com	2023/09/13 14:25:36	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
newestchairs[.]com	2023/09/14 11:24:47	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
cpuisocutter[.]com	2023/09/14 12:37:53	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
incorpcpu[.]com	2023/09/14 12:37:57	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
gulperfish[.]com	2023/09/14 14:00:25	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
leviathanfish[.]com	2023/09/14 14:00:25	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
truncationcorp[.]com	2023/09/14 14:05:41	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
gzipinteraction[.]com	2023/09/14 14:05:42	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
ghostshowing[.]com	2023/09/14 16:10:42	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
hallowenwitch[.]com	2023/09/14 16:10:43	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
certificatentrance[.]com	2023/09/19 08:18:39	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
apiwebdata[.]com	2023/10/02 14:59:14	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
apidatahook[.]com	2023/10/04 15:45:19	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
apireflection[.]com	2023/10/04 15:45:25	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
protectionoffice[.]tech	2023/10/05 11:33:46	Hostinger UAB	C=US, O=Let’s Encrypt, CN=R3
lazyprotype[.]com	2023/10/11 11:52:18	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
angelicfish[.]com	2023/10/13 17:57:29	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
globalyfish[.]com	2023/10/13 17:57:31	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
medicprognosis[.]com	2023/10/16 14:36:32	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
medicoutpatient[.]com	2023/10/16 14:36:41	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
krakfish[.]com	2023/10/17 17:09:29	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
stingrayfish[.]com	2023/10/17 17:09:31	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
incorpreview[.]com	2023/10/17 18:27:09	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
truncatetrim[.]com	2023/10/17 18:27:11	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
corporatesinvitation[.]com	2023/10/18 14:48:54	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
triminget[.]com	2023/10/18 17:31:40	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
firewitches[.]com	2023/10/19 10:40:51	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
solartemplar[.]com	2023/10/19 10:40:52	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
encryptionrenewal[.]com	2023/10/20 13:36:24	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
sslkeycert[.]com	2023/10/20 13:36:24	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
barbarictruths[.]com	2023/10/23 07:37:30	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
castlefranks[.]com	2023/10/23 07:37:33	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3	Yes
comintroduction[.]com	2023/10/24 14:01:11	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3
corpviewer[.]com	2023/10/31 13:10:38	NameCheap, Inc	C=US, O=Let’s Encrypt, CN=R3

Star Blizzard HubSpot campaign domains:

djs53104[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
djr6t104[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
djrzf704[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
djskzh04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
djslws04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
djs36c04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
djt47x04[.]eu1[.]hubspotlinksfree[.]com – used in September 2023
djvcl404[.]eu1[.]hubspotlinksfree[.]com – used in October 2023
d5b74r04[.]na1[.]hubspotlinksfree[.]com – used in October 2023
djvxqp04[.]eu1[.]hubspotlinksfree[.]com – used in October 2023

Star Blizzard MailerLite campaign domain:

ydjjja[.]clicks[.]mlsend[.]com – used in September 2023

References

Social engineering attacks lure Indian users to install Android banking trojans

Microsoft Threat Intelligence — Tue, 21 Nov 2023 04:30:00 +0000

Microsoft has observed ongoing activity from mobile banking trojan campaigns targeting users in India with social media messages designed to steal users’ information for financial fraud. Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities. Once installed, these fraudulent apps exfiltrate various types of sensitive information from users, which can include personal information, banking details, payment card information, account credentials, and more.

While not a new threat, mobile malware infections pose a significant threat to mobile users, such as unauthorized access to personal information, financial loss due to fraudulent transactions, loss of privacy, device performance issues due to malware consuming system resources, and data theft or corruption. In the past, we observed similar banking trojan campaigns sending malicious links leading users to download malicious apps, as detailed in our blog Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices.

The current active campaigns have pivoted to sharing malicious APK files directly to mobile users located in India. Our investigation focused on two malicious applications that falsely present themselves as official banking apps. Spoofing and impersonating legitimate banks, financial institutions, and other official services is a common social engineering tactic for information-stealing malware. Importantly, legitimate banks themselves are not affected by these attacks directly, and the existence of these attacks is not related to legitimate banks’ own authentic mobile banking apps and security posture. That said, cybercriminals often target customers of large financial institutions by masquerading as a legitimate entity. This threat highlights the need for customers to install applications only from official app stores, and to be wary of false lures as we see in these instances.

In this blog, we shed light on the ongoing mobile banking trojan campaigns impacting various sectors by analyzing the attacks of two fraudulent apps targeting Indian banking customers. We also detail some of the additional capabilities of malicious apps observed in similar campaigns and provide recommendations and detections to defend against such threats. As our mobile threat research continuously monitors malware campaigns in the effort to combat attackers’ tactics, tools, and procedures (TTPs), we notified the organizations being impersonated by these fake app campaigns. Microsoft is also reporting on this activity to bring increased awareness to the threat landscape as mobile banking trojans and credential phishing fraud continues to persist, prompting an urgent call for robust and proactive defense strategies.

Case 1: Fake banking app targeting account information

We discovered a recent WhatsApp phishing campaign through our telemetry that led to banking trojan activity. In this campaign, the attacker shares a malicious APK file through WhatsApp with a message asking users to enter sensitive information in the app. The widely circulated fake banking message states “Your [redacted] BANK Account will be Blocked Today please update your PANCARD immediately open [redacted]-Bank.apk for update your PANCARD. Thank You.” and includes a APK file named [redacted]-BANK[.]apk.

Figure 1. A fake WhatsApp message sent to user to update KYC using shared APK file.

Upon investigation, we discovered that the APK file was malicious and interacting with it installs a fraudulent application on the victim device. The installed app impersonates a legitimate bank located in India and disguises itself as the bank’s official Know Your Customer (KYC) application to trick users into submitting their sensitive information, despite this particular banking organization not being affiliated with an official KYC-related app. This information is then sent to a command and control (C2) server, as well as to the attacker’s hard-coded phone number used in SMS functionality.

Figure 2. The attack flow of this campaign.

What users see

Upon installation, the fake app displays a bank icon posing as a legitimate bank app. Note that the app we analyzed is not an official bank app from the Google Play Store, but a fake app that we’ve observed being distributed through social media platforms.

The initial screen then proceeds to ask the user to enable SMS-based permissions. Once the user allows the requested permissions, the fake app displays the message “Welcome to [redacted] Bank fast & Secure Online KYC App” and requests users to signin to internet banking by entering their mobile number, ATM pin, and PAN card details.

Figure 3. Once installed on a device, the fake app asks users to allow SMS permissions and to sign-in to internet banking and submit their mobile number, ATM pin, and PAN card to update KYC.

After clicking the sign-in button, the app displays a verification prompt asking the user to enter the digits on the back of their banking debit card in grid format for authentication—a common security feature used as a form of multifactor authentication (MFA), where banks provide debit cards with 2-digit numbers in the form of a grid on the back of the card. Once the user clicks the authenticate button, the app claims to verify the shared details but fails to retrieve data, instead moving on to the next screen requesting additional user information. This can trick the user into believing that the process is legitimate, while remaining unaware of the malicious activity launching in the background.

Figure 4. The fake app’s authentication process asks the user to enter the correct digits as presented on their debit card.

Next, the user is asked to enter their account number followed by their account credentials. Once all the requested details are submitted, a suspicious note appears stating that the details are being verified to update KYC. The user is instructed to wait 30 minutes and not to delete or uninstall the app. Additionally, the app has the functionality to hide its icon, causing it to disappear from the user’s device home screen while still running in the background.

Figure 5. The fraudulent app steals the user’s account number and credentials and hides its icon from the home screen.

Technical analysis

To start our investigation and as part of our proactive research, we located and analyzed the following sample:

SHA-256	6812a82edcb49131a990acd88ed5f6d73da9f536b60ee751184f27265ea769ee
Package name	djhgsfjhfdgf[.]gjhdgsfsjde[.]myappl876786ication

We first examined the app’s AndroidManifest file, which lists the permissions and components (such as activities, services, receivers, and providers) that can run in the background without requiring user interaction. We discovered that the malware requests two runtime permissions (also known as dangerous permissions) from users:

Permissions	Description
*Receive_SMS*	Intercept SMSs received on the victim’s device
*Send_SMS*	Allows an application to send SMS

The below image displays the requested Receive_SMS and Send_SMS permissions, the activities, receivers, and providers used in the application, and the launcher activity, which loads the application’s first screen.

Figure 6. AndroidManifest.xml file

Source code review

Main activity

The main activity, djhgsfjhfdgf[.]gjhdgsfsjde[.]myappl876786ication[.]M1a2i3n4A5c6t7i8v9i0t0y987654321, executes once the app is launched and shows as the first screen of the application. The OnCreate() method of this class requests permissions for Send_SMS and Receive_SMS and displays a form to complete the KYC application with text fields for a user’s mobile number, ATM pin, and PAN card. Once the user’s details are entered successfully, the collected data is added to a JSON object and sent to the attacker’s C2 at: https://biogenetic-flake.000webhostapp[.]com/add.php

The app displays a note saying “Data added successfully”. If the details are not entered successfully, the form fields will be empty, and an error note will be displayed.

Figure 7. Launcher activity page, asking the user to sign-in with their mobile number, ATM pin, and PAN card.

Additionally, the malware collects data and sends it to the attacker’s phone number specified in the code using SMS.

Figure 8. Collected data sent to the attacker’s mobile number as a SMS.

Stealing SMS messages and account information

The malware collects incoming SMS messages from the victim’s device using the newly granted Receive_SMS permission. These incoming messages may contain one-time passwords (OTPs) that can be used to bypass MFA and steal money from the victim’s bank account. Using the Send_SMS permission, the victim’s messages are then sent to the attacker’s C2 server (https[:]//biogenetic-flake[.]000webhostapp[.]com/save_sms[.]php?phone=) and to the attacker’s hardcoded phone number via SMS.

Figure 9. Steals incoming SMS to send to the attacker’s C2 and mobile number via SMS.

The user’s bank account information is also targeted for exfiltration—once the user submits their requested account number and account credentials, the malware collects the data and similarly sends it to the attacker’s C2 server and hard-coded phone number.

Figure 10. Collecting the user’s account number to send to the attacker.

Figure 11. Collecting the user’s account credentials to send to the attacker.

Hiding app icon

Finally, the app has the functionality to hide its icon from the home screen and run in the background.

Figure 12. Hides app icon from home screen

Case 2: Fake banking app targeting payment card details

Similar to the first case, the second case involves a fraudulent app that deceives users into providing personal information. Unlike the first case, the banking trojan in the second case is capable of stealing credit card details, putting users at risk of financial fraud. User information targeted by the fraudulent app to be sent to the attacker’s C2 includes:

Personal information – Name, email ID, mobile number, date of birth
Payment information – Card details (16-digit number, CVV number, card expiration date)
Incoming SMS

What users see

When the user interacts with the app, it displays a launch screen featuring the app icon and prompting the user to grant SMS-based permissions. Once the requested permissions are enabled, the app displays a form for the user to enter their personal details, including their name, email address, mobile number, and date of birth. The data provided by the user is then sent to C2 server. After this, the app displays a form for the user to enter their credit card details, including the 16-digit card number, CVV number, and card expiration date, which is also sent to the attacker’s C2.

Figure 13. Fake app collects SMS permissions, personal details and card details.

Additional features in some versions

In related campaigns, we observed some versions of the same malicious app include additional features and capabilities, such as capturing:

Financial information – Bank details, bank ID, card details
Personal information – PAN card, Aadhar number, permanent address, state, country, pin code, income
Verifying and stealing one-time passwords (OTPs)

Similar campaigns

Based on our telemetry, we have been observing similar campaigns using the names of legitimate organizations in the banking, government services, and utilities sectors, as app file names to target Indian mobile users. Like the two cases discussed above, these campaigns involve sharing the fraudulent apps through WhatsApp and Telegram, and possibly other social media platforms. Moreover, these campaigns select legitimate and even well-known institutions and services in the region to imitate and lure users into a false sense of security. Spoofing and impersonating legitimate organizations and official services is a common social engineering tactic for information-stealing malware. While these banks and other organizations themselves are not affected by the attack directly, attackers often target customers by imitating legitimate entities.

Conclusion

Mobile banking trojan infections can pose significant risks to users’ personal information, privacy, device integrity, and financial security. As the campaigns discussed in this blog display, these threats can often disguise themselves as legitimate apps and deploy social engineering tactics to achieve their goals and steal users’ sensitive data and financial assets. Being aware of the risks and common tactics used by banking trojans and other mobile malware can help users identify signs of infection and take appropriate action to mitigate the impacts of these threats.

Finding unfamiliar installed apps, increased data usage or battery drain, unauthorized transactions or account settings changes, device crashes, slow performance, unexpected pop-ups, and other unusual app behaviors can indicate a possible banking trojan infection. To help prevent such threats, we recommend the following precautionary measures:

Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store.
Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources.
Use mobile solutions such as Microsoft Defender for Endpoint on Android to detect malicious applications
Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources.

Figure 14. Example of the Install unknown apps feature on an Android device

Additionally, various Indian banks, governments services, and other organizations are conducting security awareness campaigns on social media using promotional videos to educate users and help combat the ongoing threat presented by these mobile banking trojan campaigns.

Abhishek Pustakala, Harshita Tripathi, and Shivang Desai

Microsoft Threat Intelligence

Appendix

Microsoft 365 Defender detections

Microsoft Defender Antivirus and Microsoft Defender for Endpoint on Android detect these threats as the following malware:

Indicators of compromise

SHA256	Description	Threat Name
6812a82edcb49131a990acd88ed5f6d73da9f536b60ee751184f27265ea769ee	Malicious APK	Trojan:AndroidOS/Banker.U
34cdc6ef199b4c50ee80eb0efce13a63a9a0e6bee9c23610456e913bf78272a8	Malicious APK	TrojanSpy:AndroidOS/SpyBanker.Y

MITRE ATT&CK techniques

Execution	Defense Evasion	Credential Access	Collection	Exfiltration	Impact
Scheduled Task/Job	Obfuscated Files/Information	Input Capture	Protected User Data: SMS Messages	Exfiltration Over C2 Channel	SMS Control
	Hide Artifacts: Suppress Application Icon

References

https://developer.android.com/guide/topics/permissions/overview#dangerous_permissions

Acknowledgments

https://cyble.com/blog/new-wave-of-finacial-fraud-scammers-monitoring-social-media-complaints/

Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction

Microsoft Incident Response and Microsoft Threat Intelligence — Wed, 25 Oct 2023 16:30:00 +0000

Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for organizations across multiple industries. Octo Tempest leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion. With their extensive range of tactics, techniques, and procedures (TTPs), the threat actor, from our perspective, is one of the most dangerous financial criminal groups.

OCTO TEMPEST: Hybrid identity compromise recovery

Read the Microsoft Incident Response playbook

Octo Tempest is a financially motivated collective of native English-speaking threat actors known for launching wide-ranging campaigns that prominently feature adversary-in-the-middle (AiTM) techniques, social engineering, and SIM swapping capabilities. Octo Tempest, which overlaps with research associated with 0ktapus, Scattered Spider, and UNC3944, was initially seen in early 2022, targeting mobile telecommunications and business process outsourcing organizations to initiate phone number ports (also known as SIM swaps). Octo Tempest monetized their intrusions in 2022 by selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.

Figure 1. The evolution of Octo Tempest’s targeting, actions, outcomes, and monetization

Building on their initial success, Octo Tempest harnessed their experience and acquired data to progressively advance their motives, targeting, and techniques, adopting an increasingly aggressive approach. In late 2022 to early 2023, Octo Tempest expanded their targeting to include cable telecommunications, email, and technology organizations. During this period, Octo Tempest started monetizing intrusions by extorting victim organizations for data stolen during their intrusion operations and in some cases even resorting to physical threats.

In mid-2023, Octo Tempest became an affiliate of ALPHV/BlackCat, a human-operated ransomware as a service (RaaS) operation, and initial victims were extorted for data theft (with no ransomware deployment) using ALPHV Collections leak site. This is notable in that, historically, Eastern European ransomware groups refused to do business with native English-speaking criminals. By June 2023, Octo Tempest started deploying ALPHV/BlackCat ransomware payloads (both Windows and Linux versions) to victims and lately has focused their deployments primarily on VMWare ESXi servers. Octo Tempest progressively broadened the scope of industries targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services.

In recent campaigns, we observed Octo Tempest leverage a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data. Octo Tempest leverages tradecraft that many organizations don’t have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques. This blog post aims to provide organizations with an insight into Octo Tempest’s tradecraft by detailing the fluidity of their operations and to offer organizations defensive mechanisms to thwart the highly motivated financial cybercriminal group.

Analysis

The well-organized, prolific nature of Octo Tempest’s attacks is indicative of extensive technical depth and multiple hands-on-keyboard operators. The succeeding sections cover the wide range of TTPs we observed being used by Octo Tempest.

Figure 2. Octo Tempest TTPs

Initial access

Octo Tempest commonly launches social engineering attacks targeting technical administrators, such as support and help desk personnel, who have permissions that could enable the threat actor to gain initial access to accounts. The threat actor performs research on the organization and identifies targets to effectively impersonate victims, mimicking idiolect on phone calls and understanding personal identifiable information to trick technical administrators into performing password resets and resetting multifactor authentication (MFA) methods. Octo Tempest has also been observed impersonating newly hired employees in these attempts to blend into normal on-hire processes.

Octo Tempest primarily gains initial access to an organization using one of several methods:

Social engineering
- Calling an employee and socially engineering the user to either:
  - Install a Remote Monitoring and Management (RMM) utility
  - Navigate to a site configured with a fake login portal using an adversary-in-the-middle toolkit
  - Remove their FIDO2 token
- Calling an organization’s help desk and socially engineering the help desk to reset the user’s password and/or change/add a multi-factor authentication token/factor
Purchasing an employee’s credentials and/or session token(s) on a criminal underground market
SMS phishing employee phone numbers with a link to a site configured with a fake login portal using an adversary-in-the-middle toolkit
Using the employee’s pre-existing access to mobile telecommunications and business process outsourcing organizations to initiate a SIM swap or to set up call number forwarding on an employee’s phone number. Octo Tempest will initiate a self-service password reset of the user’s account once they have gained control of the employee’s phone number.

In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts. These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access.

Figure 3. Threats sent by Octo Tempest to targets

Reconnaissance and discovery

Crossing borders for identity, architecture, and controls enumeration

In the early stage of their attacks, Octo Tempest performs various enumeration and information gathering actions to pursue advanced access in targeted environments and abuses legitimate channels for follow-on actions later in the attack sequence. Initial bulk-export of users, groups, and device information is closely followed by enumerating data and resources readily available to the user’s profile within virtual desktop infrastructure or enterprise-hosted resources.

Frequently, Octo Tempest uses their access to carry out broad searches across knowledge repositories to identify documents related to network architecture, employee onboarding, remote access methods, password policies, and credential vaults.

Octo Tempest then performs exploration through multi-cloud environments enumerating access and resources across cloud environments, code repositories, server and backup management infrastructure, and others. In this stage, the threat actor validates access, enumerates databases and storage containers, and plans footholds to aid further phases of the attack.

Additional tradecraft and techniques:

PingCastle and ADRecon to perform reconnaissance of Active Directory
Advanced IP Scanner to probe victim networks
Govmomi Go library to enumerate vCenter APIs
PureStorage FlashArray PowerShell module to enumerate storage arrays
AAD bulk downloads of user, groups, and devices

Privilege escalation and credential access

Octo Tempest commonly elevates their privileges within an organization through the following techniques:

Using their pre-existing access to mobile telecommunications and business process outsourcing organizations to initiate a SIM swap or to set up call number forwarding on an employee’s phone number. Octo Tempest will initiate a self-service password reset of the user’s account once they have gained control of the employee’s phone number.
Social engineering – calling an organization’s help desk and socially engineering the help desk to reset an administrator’s password and/or change/add a multi-factor authentication token/factor

Further masquerading and collection for escalation

Octo Tempest employs an advanced social engineering strategy for privilege escalation, harnessing stolen password policy procedures, bulk downloads of user, group, and role exports, and their familiarity with the target organizations procedures. The actor’s privilege escalation tactics often rely on building trust through various means, such as leveraging possession of compromised accounts and demonstrating an understanding of the organization’s procedures. In some cases, they go as far as bypassing password reset procedures by using a compromised manager’s account to approve their requests.

Octo Tempest continually seeks to collect additional credentials across all planes of access. Using open-source tooling like Jercretz and TruffleHog, the threat actor automates the identification of plaintext keys, secrets, and credentials across code repositories for further use.

Additional tradecraft and techniques:

Modifying access policies or using MicroBurst to gain access to credential stores
Using open-source tooling: Mimikatz, Hekatomb, Lazagne, gosecretsdump, smbpasswd.py, LinPEAS, ADFSDump
Using VMAccess Extension to reset passwords or modify configurations of Azure VMs
Creating snapshots virtual domain controller disks to download and extract NTDS.dit
Assignment of User Access Administrator role to grant Tenant Root Group management scope

Defense evasion

Security product arsenal sabotage

Octo Tempest compromises security personnel accounts within victim organizations to turn off security products and features and attempt to evade detection throughout their compromise. Using compromised accounts, the threat actor leverages EDR and device management technologies to allow malicious tooling, deploy RMM software, remove or impair security products, data theft of sensitive files (e.g. files with credentials, signal messaging databases, etc.), and deploy malicious payloads.

To prevent identification of security product manipulation and suppress alerts or notifications of changes, Octo Tempest modifies the security staff mailbox rules to automatically delete emails from vendors that may raise the target’s suspicion of their activities.

Figure 4. Inbox rule created by Octo Tempest to delete emails from vendors

Additional tradecraft and techniques:

Using open-source tooling like privacy.sexy framework to disable security products
Enrolling actor-controlled devices into device management software to bypass controls
Configuring trusted locations in Conditional Access Policies to expand access capabilities
Replaying harvested tokens with satisfied MFA claims to bypass MFA

Persistence

Sustained intrusion with identities and open-source tools

Octo Tempest leverages publicly available security tools to establish persistence within victim organizations, largely using account manipulation techniques and implants on hosts. For identity-based persistence, Octo Tempest targets federated identity providers using tools like AADInternals to federate existing domains, or spoof legitimate domains by adding and then federating new domains. The threat actor then abuses this federation to generate forged valid security assertion markup language (SAML) tokens for any user of the target tenant with claims that have MFA satisfied, a technique known as Golden SAML. Similar techniques have also been observed using Okta as their source of truth identity provider, leveraging Okta Org2Org functionality to impersonate any desired user account.

To maintain access to endpoints, Octo Tempest installs a wide array of legitimate RMM tools and makes required network modifications to enable access. The usage of reverse shells is seen across Octo Tempest intrusions on both Windows and Linux endpoints. These reverse shells commonly initiate connections to the same attacker infrastructure that deployed the RMM tools.

Figure 5. Reverse shellcode used by Octo Tempest

A unique technique Octo Tempest uses is compromising VMware ESXi infrastructure, installing the open-source Linux backdoor Bedevil, and then launching VMware Python scripts to run arbitrary commands against housed virtual machines.

Additional tradecraft and techniques:

Usage of open-source tooling: ScreenConnect, FleetDeck, AnyDesk, RustDesk, Splashtop, Pulseway, TightVNC, LummaC2, Level.io, Mesh, TacticalRMM, Tailscale, Ngrok, WsTunnel, Rsocx, and Socat
Deployment of Azure virtual machines to enable remote access via RMM installation or modification to existing resources via Azure serial console
Addition of MFA methods to existing users
Usage of the third-party tunneling tool Twingate, which leverages Azure Container instances as a private connector (without public network exposure)

Actions on objectives

Common trifecta: Data theft, extortion, and ransomware

The goal of Octo Tempest remains financially motivated, but the monetization techniques observed across industries vary between cryptocurrency theft and data exfiltration for extortion and ransomware deployment.

Like in most cyberattacks, data theft largely depends on the data readily available to the threat actor. Octo Tempest accesses data from code repositories, large document management and storage systems, including SharePoint, SQL databases, cloud storage blobs/buckets, and email, using legitimate management clients such as DBeaver, MongoDB Compass, Azure SQL Query Editor, and Cerebrata for the purpose of connection and collection. After data harvesting, the threat actor employs anonymous file-hosting services, including GoFile.io, shz.al, StorjShare, Temp.sh, MegaSync, Paste.ee, Backblaze, and AWS S3 buckets for data exfiltration.

Octo Tempest employs a unique technique using the data movement platform Azure Data Factory and automated pipelines to extract data to external actor hosted Secure File Transfer Protocol (SFTP) servers, aiming to blend in with typical big data operations. Additionally, the threat actor commonly registers legitimate Microsoft 365 backup solutions such as Veeam, AFI Backup, and CommVault to export the contents of SharePoint document libraries and expedite data exfiltration.

Ransomware deployment closely follows data theft objectives. This activity targets both Windows and Unix/Linux endpoints and VMware hypervisors using a variant of ALPHV/BlackCat. Encryption at the hypervisor level has shown significant impact to organizations, making recovery efforts difficult post-encryption.

Octo Tempest frequently communicates with target organizations and their personnel directly after encryption to negotiate or extort the ransom—providing “proof of life” through samples of exfiltrated data. Many of these communications have been leaked publicly, causing significant reputational damage to affected organizations.

Additional tradecraft and techniques:

Use of the third-party services like FiveTran to extract copies of high-value service databases, such as SalesForce and ZenDesk, using API connectors
Exfiltration of mailbox PST files and mail forwarding to external mailboxes

Recommendations

Hunting methodology

Octo Tempest’s utilization of social engineering, living-off-the land techniques, and diverse toolsets could make hunting slightly unorthodox. Following these general guidelines alongside robust deconfliction with legitimate users will surface their activity:

Identity

Understand authentication flows in the environment.
Centralize visibility of administrative changes in the environment into a single pane of glass.
Scrutinize all user and sign-in risk detections for any administrator within the timeframe. Common alerts that are surfaced during an Octo Tempest intrusion include (but not limited to): Impossible Travel, Unfamiliar Sign-in Properties, and Anomalous Token
Review the coverage of Conditional Access policies; scrutinize the use of trusted locations and exclusions.
Review all existing and new custom domains in the tenant, and their federation settings.
Scrutinize administrator groups, roles, and privileges for recent modification.
Review recently created Microsoft Entra ID users and registered device identities.
Look for any anomalous pivots into organizational apps that may hold sensitive data, such as Microsoft SharePoint and OneDrive.

Azure

Leverage and continuously monitor Defender for Cloud for Azure Workloads, providing a wealth of information around unauthorized resource access.
Review Azure role-based access control (RBAC) definitions across the management group, subscription, resource group and resource structure.
Review the public network exposure of resources and revoke any unauthorized modifications.
Review both data plane and management plane access control for all critical workloads such as those that hold credentials and organizational data, like Key Vaults, storage accounts, and database resources.
Tightly control access to identity workloads that issue access organizational resources such as Active Directory Domain Controllers.
Review the Azure Activity log for anomalous modification of resources.

Endpoints

Look for recent additions to the indicators or exclusions of the EDR solution in place at the organization.
Review any generation of offboarding scripts.
Review access control within security products and EDR software suites.
Scrutinize any tools used to manage endpoints (SCCM, Intune, etc.) and look for recent rule additions, packages, or deployments.
Scrutinize use of remote administration tools across the environment, paying particular attention to recent installations regardless of whether they are used legitimately within the network already.
Ensure monitoring at the network boundary is in place, that alerting is in place for connections with common anonymizing services and scrutinize the use of these services.

Defending against Octo Tempest activity

Align privilege in Microsoft Entra ID and Azure

Privileges spanning Microsoft Entra ID and Azure need to be holistically aligned, with purposeful design decisions to prevent unauthorized access to critical workloads. Reducing the number of users with permanently assigned critical roles is paramount to achieving this. Segregation of privilege between on-premises and cloud is also necessary to sever the ability to pivot within the environment.

It is highly recommended to implement Microsoft Entra Privileged Identity Management (PIM) as a central location for the management of both Microsoft Entra ID roles and Azure RBAC. For all critical roles, at minimum:

Implement role assignments as eligible rather than permanent.
Review and understand the role definition Actions and NotActions – ensure to select only the roles with actions that the user requires to do their role (least privileged access).
Configure these roles to be time-bound, deactivating after a specific timeframe.
Require users to perform MFA to elevate to the role.
Optionally require users to provide justification or a ticket number upon elevation.
Enable notifications for privileged role elevation to a subset of administrators.
Utilize PIM Access Reviews to reduce standing access in the organization on a periodic basis.

Every organization is different and, therefore, roles will be classified differently in terms of their criticality. Consider the scope of impact those roles may have on downstream resources, services, or identities in the event of compromise. For help desk administrators specifically, ensure to scope privilege to exclude administrative operations over Global Administrators. Consider implementing segregation strategies such as Microsoft Entra ID Administrative Units to segment administrative access over the tenant. For identities that leverage cross-service roles such as those that service the Microsoft Security Stack, consider implementing additional service-based granular access control to restrict the use of sensitive functionality, like Live Response and modification of IOC allow lists.

Segment Azure landing zones

For organizations yet to begin or are early in their modernization journey, end-to-end guidance for cloud adoption is available through the Microsoft Azure Cloud Adoption Framework. Recommended practice and security are central pillars—Azure workloads are segregated into separate, tightly restricted areas known as landing zones. When deploying Active Directory in the cloud, it is advised to create a platform landing zone for identity—a dedicated subscription to hold all Identity-related resources such as Domain Controller VM resources. Employ least privilege across this landing zone with the aforementioned privilege and PIM guidance for Azure RBAC.

Implement Conditional Access policies and authentication methods

TTPs outlined in this blog leverage strategies to evade multifactor authentication defenses. However, it is still strongly recommended to practice basic security hygiene by implementing a baseline set of Conditional Access policies:

Require multifactor authentication for all privileged roles with the use of authentication strengths to enforce phish-resistant MFA methods such as FIDO2 security keys
Require phishing-resistant multifactor authentication for administrators
Enforce MFA registration from trusted locations from a device that also meets organizational requirements with Intune device compliance policies
User and sign-in risk policies for signals associated to Microsoft Entra ID Protection

Organizations are recommended to keep their policies as simple as possible. Implementing complex policies might inhibit the ability to respond to threats at a rapid pace or allow threat actors to leverage misconfigurations within the environment.

Develop and maintain a user education strategy

An organization’s ability to protect itself against cyberattacks is only as strong as its people—it is imperative to put in place an end-to-end cybersecurity strategy highlighting the importance of ongoing user education and awareness. Targeted education and periodic security awareness campaigns around common cyber threats and attack vectors such as phishing and social engineering not only for users that hold administrative privilege in the organization, but the wider user base is crucial. A well-maintained incident response plan should be developed and refined to enable organizations to respond to unexpected cybersecurity events and rapidly regain positive control.

Use out-of-band communication channels

Octo Tempest has been observed joining, recording, and transcribing calls using tools such as OtterAI, and sending messages via Slack, Zoom, and Microsoft Teams, taunting and threatening targets, organizations, defenders, and gaining insights into incident response operations/planning. Using out-of-band communication channels is strongly encouraged when dealing with this threat actor.

Detections

Microsoft 365 Defender

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

NOTE: Several tools mentioned throughout this blog are remote administrator tools that have been utilized by Octo Tempest to maintain persistence. While these tools are abused by threat actors, they can have legitimate use cases by normal users, and are updated on a frequent basis. Microsoft recommends monitoring their use within the environment, and when they are identified, defenders take the necessary steps for deconfliction to verify their use.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

Turning on tamper protection, which is part of built-in protection, prevents attackers from stopping security services.

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

Octo Tempest activity group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can also be triggered by unrelated threat activity.

Suspicious usage of remote management software
Mimikatz credential theft tool
BlackCat ransomware
Activity linked to BlackCat ransomware
Tampering activity typical to ransomware attacks
Possible hands-on-keyboard pre-ransom activity

Microsoft Defender for Cloud Apps

Using Microsoft Defender for Cloud Apps connectors, Microsoft 365 Defender raises AitM-related alerts in multiple scenarios. For Microsoft Entra ID customers using Microsoft Edge, attempts by attackers to replay session cookies to access cloud applications are detected by Microsoft 365 Defender through Defender for Cloud Apps connectors for Microsoft Office 365 and Azure. In such scenarios, Microsoft 365 Defender raises the following alerts:

Backdoor creation using AADInternals tool
Suspicious domain added to Microsoft Entra ID
Suspicious domain trust modification following risky sign-in
User compromised via a known AitM phishing kit
User compromised in AiTM phishing attack
Suspicious email deletion activity

Similarly, the connector for Okta raises the following alerts:

Suspicious Okta account enumeration
Possible AiTM phishing attempt in Okta

Microsoft Defender for Identity

Microsoft Defender for Identity raises the following alerts for TTPs used by Octo Tempest such as NTDS stealing and Active Directory reconnaissance:

Account enumeration reconnaissance
Network-mapping reconnaissance (DNS)
User and IP address reconnaissance (SMB)
User and Group membership reconnaissance (SAMR)
Suspected DCSync attack (replication of directory services)
Suspected AD FS DKM key read
Data exfiltration over SMB

Microsoft Defender for Cloud

The following Microsoft Defender for Cloud alerts relate to TTPs used by Octo Tempest. Note, however, that these alerts can also be triggered by unrelated threat activity.

MicroBurst exploitation toolkit used to enumerate resources in your subscriptions
MicroBurst exploitation toolkit used to execute code on your virtual machine
MicroBurst exploitation toolkit used to extract keys from your Azure key vaults
MicroBurst exploitation toolkit used to extract keys to your storage accounts
Suspicious Azure role assignment detected
Suspicious elevate access operation (Preview)
Suspicious invocation of a high-risk ‘Initial Access’ operation detected (Preview)
Suspicious invocation of a high-risk ‘Credential Access’ operation detected (Preview)
Suspicious invocation of a high-risk ‘Data Collection’ operation detected (Preview)
Suspicious invocation of a high-risk ‘Execution’ operation detected (Preview)
Suspicious invocation of a high-risk ‘Impact’ operation detected (Preview)
Suspicious invocation of a high-risk ‘Lateral Movement’ operation detected (Preview)
Unusual user password reset in your virtual machine
Suspicious usage of VMAccess extension was detected on your virtual machines (Preview)
Suspicious usage of multiple monitoring or data collection extensions was detected on your virtual machines (Preview)
Run Command with a suspicious script was detected on your virtual machine (Preview)
Suspicious Run Command usage was detected on your virtual machine (Preview)
Suspicious unauthorized Run Command usage was detected on your virtual machine (Preview)

Microsoft Sentinel

Microsoft Sentinel customers can use the following Microsoft Sentinel Analytics template to identify potential AitM phishing attempts:

Possible AitM Phishing Attempt Against Azure AD

This detection uses signals from Microsoft Entra ID Identity Protection and looks for successful sign-ins that have been flagged as high risk. It combines this with data from web proxy services, such as ZScaler, to identify where users might have connected to the source of those sign-ins immediately prior. This can indicate a user interacting with an AitM phishing site and having their session hijacked. This detection uses the Advanced Security Information Model (ASIM) Web Session schema. Refer to this article for more details on the schema and its requirements.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection info, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft 365 Defender Threat analytics

Hunting queries

Microsoft Sentinel

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

Malware distributor Storm-0324 facilitates ransomware access

Microsoft Threat Intelligence — Tue, 12 Sep 2023 17:00:00 +0000

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. This activity is not related to the Midnight Blizzard social engineering campaigns over Teams that we observed beginning in May 2023. Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware.

Storm-0324 (DEV-0324), which overlaps with threat groups tracked by other researchers as TA543 and Sagrid, acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. Storm-0324’s tactics focus on highly evasive infection chains with payment and invoice lures. The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer and the Nymaim downloader and locker.

In this blog, we provide a comprehensive analysis of Storm-0324 activity, covering their established tools, tactics, and procedures (TTPs) as observed in past campaigns as well as their more recent attacks. To defend against this threat actor, Microsoft customers can use Microsoft 365 Defender to detect Storm-0324 activity and significantly limit the impact of these attacks on networks. Additionally, by using the principle of least privilege, building credential hygiene, and following the other recommendations we provide in this blog, administrators can limit the destructive impact of ransomware even if the attackers can gain initial access.

Historical malware distribution activity

Storm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver malware payloads. The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic. This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.

Storm-0324’s email themes typically reference invoices and payments, mimicking services such as DocuSign, Quickbooks, and others. Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload. Storm-0324 has used many file formats to launch the malicious JavaScript including Microsoft Office documents, Windows Script File (WSF), and VBScript, among others.

Storm-0324 has distributed a range of first-stage payloads since at least 2016, including:

Nymaim, a first-stage downloader and locker
Gozi version 3, an infostealer
Trickbot, a modular malware platform
Gootkit, a banking trojan
Dridex, a banking trojan
Sage ransomware
GandCrab ransomware
IcedID, a modular information-stealing malware

Since 2019, however, Storm-0324 has primarily distributed JSSLoader, handing off access to ransomware actor Sangria Tempest.

Ongoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain

Figure 1. Storm-0324 JSSLoader infection chain based on mid-2023 activity

Since as early as 2019, Storm-0324 has handed off access to the cybercrime group Sangria Tempest after delivering the group’s first-stage malware payload, JSSLoader. Storm-0324’s delivery chain begins with phishing emails referencing invoices or payments and containing a link to a SharePoint site that hosts a ZIP archive. Microsoft continues to work across its platforms to identify abuse, take down malicious activity, and implement new proactive protections to discourage malicious actors from using our services.

Figure 2. Example Storm-0324 email

The ZIP archive contains a file with embedded JavaScript code. Storm-0324 has used a variety of files to host the JavaScript code, including WSF and Ekipa publisher files exploiting the CVE-2023-21715 local security feature bypass vulnerability.

When the JavaScript launches, it drops a JSSLoader variant DLL. The JSSLoader malware is then followed by additional Sangria Tempest tooling.

In some cases, Storm-0324 uses protected documents for additional social engineering. By adding the security code or password in the initial communications to the user, the lure document may acquire an additional level of believability for the user. The password also serves as an effective anti-analysis measure because it requires user interaction after launch.

Figure 3. Storm-0324 password-protected lure document

New Teams-based phishing activity

In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file. For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher. TeamsPhisher is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization.

Microsoft takes these phishing campaigns very seriously and has rolled out several improvements to better defend against these threats. In accordance with Microsoft policies, we have suspended identified accounts and tenants associated with inauthentic or fraudulent behavior. We have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders . We rolled out new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant. In addition to these specific enhancements, our development teams will continue to introduce additional preventative and detective measures to further protect customers from phishing attacks.

Recommendations

To harden networks against Storm-0324 attacks, defenders are advised to implement the following:

Pilot and start deploying phishing-resistant authentication methods for users.
Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
Apply security best practices for Microsoft Teams. Refer to the security guide for Microsoft Teams.
- Understand and select the best access settings for external collaboration for your organization.
- Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
Allow only known devices that adhere to Microsoft’s recommended security baselines.
Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
- Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
- Educate Microsoft Teams users about accepting or blocking people outside the organization who send messages in Microsoft Teams.
Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, administrator-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
For additional recommendations on hardening your organization against ransomware attacks, refer to our threat overview on human-operated ransomware.

Microsoft customers can turn on attack surface reduction rules to prevent common attack techniques:

Detection details

Microsoft 365 Defender

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

Ransomware-linked Storm-0324 threat activity group detected

Hunting queries

Microsoft 365 Defender

Possible TeamsPhisher downloads The following query looks for downloaded files that were potentially facilitated by use of the TeamsPhisher tool. Defenders should customize the SharePoint domain name (‘mysharepointname’) in the query.

let allowedSharepointDomain = pack_array(
'mysharepointname' //customize Sharepoint domain name and add more domains as needed for your query
);
//
let executable = pack_array(
'exe',
'dll',
'xll',
'msi',
'application'
);
let script = pack_array(
'ps1',
'py',
'vbs',
'bat'
);
let compressed = pack_array(
'rar',
'7z',
'zip',
'tar',
'gz'
);
//
let startTime = ago(1d);
let endTime = now();
DeviceFileEvents
| where Timestamp between (startTime..endTime)
| where ActionType =~ 'FileCreated'
| where InitiatingProcessFileName has 'teams.exe'
    or InitiatingProcessParentFileName has 'teams.exe'
| where InitiatingProcessFileName !has 'update.exe'
    and InitiatingProcessParentFileName !has 'update.exe'
| where FileOriginUrl has 'sharepoint'
    and FileOriginReferrerUrl has_any ('sharepoint', 'teams.microsoft')
| extend fileExt = tolower(tostring(split(FileName,'.')[-1]))
| where fileExt in (executable)
    or fileExt in (script)
    or fileExt in (compressed)
| extend fileGroup = iff( fileExt in (executable),'executable','')
| extend fileGroup = iff( fileExt in (script),'script',fileGroup)
| extend fileGroup = iff( fileExt in (compressed),'compressed',fileGroup)
//
| extend sharePoint_domain = tostring(split(FileOriginUrl,'/')[2])
| where not (sharePoint_domain has_any (allowedSharepointDomain))
| project-reorder Timestamp, DeviceId, DeviceName, sharePoint_domain, FileName, FolderPath, SHA256, FileOriginUrl, FileOriginReferrerUrl

Microsoft Sentinel

References

Midnight Blizzard conducts targeted social engineering over Microsoft Teams

Microsoft Threat Intelligence — Wed, 02 Aug 2023 19:00:00 +0000

Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques. In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts. As with any social engineering lures, we encourage organizations to reinforce security best practices to all users and reinforce that any authentication requests not initiated by the user should be treated as malicious.

Our current investigation indicates this campaign has affected fewer than 40 unique global organizations. The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-government organizations (NGOs), and IT service providers primarily in the US and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Their operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Midnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain access to downstream customers, as well as the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard (NOBELIUM) is tracked by partner security vendors as APT29, UNC2452, and Cozy Bear.

Midnight Blizzard’s latest credential phishing attack

Midnight Blizzard regularly utilizes token theft techniques for initial access into targeted environments, in addition to authentication spear-phishing, password spray, brute force, and other credential attacks. The attack pattern observed in malicious activity since at least late May 2023 has been identified as a subset of broader credential attack campaigns that we attribute to Midnight Blizzard.

Use of security-themed domain names in lures

To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant. The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part of our ongoing investigation. Microsoft has mitigated the actor from using the domains.

In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device.

Step 1: Teams request to chat

The target user may receive a Microsoft Teams message request from an external user masquerading as a technical support or security team.

Figure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account

Step 2: Request authentication app action

If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device.

Figure 2: A Microsoft Teams prompt with a code and instructions.

Step 3: Successful MFA authentication

If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.

The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.

Recommendations

Microsoft recommends the following mitigations to reduce the risk of this threat.

Pilot and start deploying phishing-resistant authentication methods for users.
Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
Apply security best practices for Microsoft Teams. Refer to the security guide for Microsoft Teams.
- Understand and select the best access settings for external collaboration for your organization.
- Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
Allow only known devices that adhere to Microsoft’s recommended security baselines.
Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
- Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
- Educate Microsoft Teams users about accepting or blocking people outside the organization who send messages in Microsoft Teams.
Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.

Indicators of compromise

Indicator	Type	Description
mlcrosoftaccounts.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
msftonlineservices.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
msonlineteam.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
msftservice.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
noreplyteam.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
accounteam.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
teamsprotection.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
identityverification.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
msftprotection.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
accountsverification.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
azuresecuritycenter.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain

Hunting guidance

Microsoft Purview

Customers hunting for related activity in their environment can identify users that were targeted with the phishing lure using content search in Microsoft Purview. A content search can be created for selected Exchange mailboxes (which include Teams messages) using the following keywords (remove the [] around the “.” before use):

mlcrosoftaccounts.onmicrosoft[.]com
msftonlineservices.onmicrosoft[.]com
msonlineteam.onmicrosoft[.]com
msftservice.onmicrosoft[.]com
noreplyteam.onmicrosoft[.]com
accounteam.onmicrosoft[.]com
teamsprotection.onmicrosoft[.]com
identityverification.onmicrosoft[.]com
msftprotection.onmicrosoft[.]com
accountsverification.onmicrosoft[.]com
azuresecuritycenter.onmicrosoft[.]com
We detected a recent change to your preferred Multi-Factor Authentication (MFA)

The search results will include the messages that match the criteria. The first result will appear to be from @unq.gbl.spaces addressed to the target user and the threat actor (i.e., the request to chat as described in Step 1), followed by the message sent by the threat actor, as shown in the Microsoft Purview image below:

Figure 3: Message sent by the threat actor, as shown in Microsoft Purview

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with “TI map”) to automatically match indicators associated with Midnight Blizzard in Microsoft Defender Threat Intelligence with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the Defender Threat Intelligence connector and analytics rule deployed in their Sentinel workspace. Learn more about the Content Hub.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect activity related to the activity described in this blog:

Social engineering / phishing | Latest Threats | Microsoft Security Blog

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware