A financially driven cyber threat group that Microsoft has been tracking under the alias “Storm-0324” is expanding its cyber-attack methodologies. Historically, this group primarily infiltrated systems via email-based infection vectors, later passing on access to the compromised networks to other malicious actors. These handoffs frequently escalate to ransomware attacks.
As of July 2023, Storm-0324 has introduced a novel technique into its arsenal by exploiting an open-source tool to distribute phishing lures via Microsoft Teams chats. It’s crucial to note that this activity is distinctly separate from the Midnight Blizzard social engineering campaigns over Teams observed from May 2023.
Storm-0324’s Profile and Modus Operandi
Storm-0324, also recognized as DEV-0324 by some, overlaps with threat actors identified as TA543 and Sagrid by other researchers. This group essentially serves as a distributor within the cybercrime ecosystem, using phishing and exploit kit vectors to disseminate other attackers’ payloads. Their tactics often revolve around crafty infection chains, typically luring victims with payment and invoice baits. Their distribution list includes the JSSLoader malware, which paves the way for the ransomware-as-a-service (RaaS) actor Sangria Tempest (also known as ELBRUS, Carbon Spider, FIN7).
Historical Context and Attack Techniques
Having been active since at least 2016, Storm-0324 has diversified its malware distribution techniques. They have previously deployed an array of first-stage payloads, such as:
– Nymaim, a downloader and locker
– Gozi version 3, an info stealer
– Trickbot, a modular malware platform
– Gootkit, a banking trojan
– Dridex, another banking trojan
– Sage ransomware
– GandCrab ransomware
– IcedID, an information-stealing malware
However, since 2019, their primary distribution tool has been JSSLoader, which eventually provides access to the ransomware actor Sangria Tempest.
Storm-0324’s Teams-Based Phishing
In July 2023, Storm-0324 ventured into using Microsoft Teams for phishing, embedding malicious links within chats that direct victims to malicious SharePoint-hosted files. This method likely leverages a public tool known as TeamsPhisher, a Python-based program that malicious actors can exploit to deliver phishing attachments.
To combat this, Microsoft has intensified its countermeasures against such phishing campaigns. Microsoft has suspended identified accounts and tenants linked to suspicious or fraudulent behavior. To further shield users, Microsoft has also enhanced the Accept/Block feature within Teams one-on-one chats, emphasizing the external nature of a user and their email address. This serves as a precautionary measure, urging Teams users to remain wary of unknown or potentially malicious senders.
Defensive Recommendations
To bolster defenses against Storm-0324 attacks, organizations are recommended to:
– Adopt phishing-resistant authentication methods.
– Establish Conditional Access authentication strength.
– Define trusted Microsoft 365 organizations, specifying which external domains can engage in chats and meetings.
– Maintain Microsoft 365 auditing enabled.
– Educate users about potential threats, especially regarding social engineering and credential phishing attacks.
– Emphasize to Microsoft Teams users the importance of verifying ‘External’ tags on messages and refraining from sharing sensitive data over chats.
– Implement Conditional Access App Control in Microsoft Defender for Cloud Apps.
– Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine potential threats.
By adhering to these guidelines and maintaining an active, vigilant stance, organizations can significantly reduce their vulnerability to cyber threats like Storm-0324 and ensure the safety and integrity of their systems and data.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
