Ransomware Access Broker Leverages Microsoft Teams Titles for Account Theft


A Microsoft warning has been issued about a new phishing campaign which is being undertaken by one of its first-level access brokers. This campaign uses Teams messages as lures to sneak into corporate networks to collect sensitive data. 
Under the control of Google’s Threat Intelligence team, the cluster has been named Storm-0324, and it is closely monitored either under the name TA543 or Sigrid, as well as under the alias Storm-0324.

Security researchers at Microsoft have noticed that the financially motivated group Storm-0324 has started using Teams to target potential victims, which they believe is a means of gaining easy access to their computer systems. 

As a payload distributor within the cybercriminal economy, Storm-0324 offers a service that is aimed at providing evasive infection chains as a means of propagating various payloads that are used in the manifestation of systems.

There are a variety of types of malware that have been identified in this study, including downloaders, banking trojans, ransomware, as well as modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader. 

This actor has used decoy emails referencing invoices and payments in the past to trick users into downloading SharePoint-hosted ZIP archive files with JSSLoader, a malware loader able to profile and load additional payloads on infected machines.
In the past, he has used similar decoy email messages to trick users into downloading these files.

It seems that Microsoft has assigned a temporary name, Storm-0324, to this particular threat actor before gaining clarity about the origin or identity of the individual behind the operation, and this suggests that Microsoft is not fully confident about the origin or identity of this particular threat actor. 

After Storm-0324 successfully compromised corporate networks with the use of JSSLoader, Gozi and Nymaim, the notorious cybercrime gang FIN7 was able to gain access to their systems. FIN7 has been observed deploying the Clop ransomware on the networks of its victims. 
It is also known as Sangria Tempest and ELBRUS. Before the now-defunct BlackMatter and DarkSide ransomware-as-a-service (Raas) operations took place, the ransomware was also known to be linked to Maze and REvil ransomware. 
Storm-0324 is also a malware distributor that distributes payloads for other malware authors, according to Microsoft. This group employs evasive tactics and uses payment and invoice lures to lure victims into their traps. It has been proven that the gang has distributed malware for FIN7 and Cl0p, both well-known Russian cybercrime gangs. 
It has been discovered that Storm-0324 is responsible for spreading phishing scams over Teams. Cybercriminals employ TeamsPhisher to scale up the mission of phishing, which allows tenants of Teams to attach files to messages that are sent to external tenants. 
Attackers send victims links that lead them to malicious SharePoint-hosted files.

The Microsoft Teams vulnerability causing these attacks was previously said by Microsoft to have not met the requirements for immediate remediation. 

Enterprise administrators can minimize this risk by modifying security settings so that only certain domains are allowed to communicate with their employees, or by making it impossible for tenants to contact their employees outside their premises.
Furthermore, Microsoft explains that it has made several improvements to protect itself from such threats and to improve its defences against them. They have also enhanced the Accept/Block experience within Teams’ one-to-one chats, in addition to suspending accounts and tenants whose behaviour is deemed inauthentic or fraudulent. 
In this manner, Teams users are reminded that the externality of a user and their email address is important so that they are more careful in interacting with unknown or malicious senders and do not interact with those users.

In addition, there has been an enhancement to the notification feature for tenant admins when new domains are created in their tenants, which allows them to monitor if any new domains are created on their tenant’s premises. 

It is believed that the group is leveraging previously compromised Microsoft 365 instances, most of which belong to small businesses, in their phishing attacks to create new domains that look as if they are technical support accounts for small businesses. 
These individuals are then persuaded by the group to approve the multi-factor authentication prompts initiated by the attacker through Teams messages.

A new onmicrosoft.com subdomain is established using compromised instances that have been renamed and used to set up the new instance. 

Microsoft 365 uses the onmicrosoft.com domain name as a fallback if there is no custom domain created by the user. To provide credibility to the technical support-themed messages that are sent out as a lure by attackers, they often use security terms or product-specific names in these subdomain names. 
Specifically, the goal is to target users who have been set up to utilize passwordless authentication on their accounts or have obtained credentials for accounts that they have previously acquired credentials for. During the authentication process, the user is required to enter a code displayed on the screen of their mobile device into the prompt in Microsoft Authenticator, which is displayed during the authentication process.

%d bloggers like this: