A financially driven cyber threat group that Microsoft has been tracking under the alias “Storm-0324” is expanding its cyber-attack methodologies. Historically, this group primarily infiltrated systems via email-based infection vectors, later passing on access to the compromised networks to other malicious actors. These handoffs frequently escalate to ransomware attacks.
As of July 2023, Storm-0324 has introduced a novel technique into its arsenal by exploiting an open-source tool to distribute phishing lures via Microsoft Teams chats. It’s crucial to note that this activity is distinctly separate from the Midnight Blizzard social engineering campaigns over Teams observed from May 2023.
Storm-0324’s Profile and Modus Operandi
Storm-0324, also recognized as DEV-0324 by some, overlaps with threat actors identified as TA543 and Sagrid by other researchers. This group essentially serves as a distributor within the cybercrime ecosystem, using phishing and exploit kit vectors to disseminate other attackers’ payloads. Their tactics often revolve around crafty infection chains, typically luring victims with payment and invoice baits. Their distribution list includes the JSSLoader malware, which paves the way for the ransomware-as-a-service (RaaS) actor Sangria Tempest (also known as ELBRUS, Carbon Spider, FIN7).
Historical Context and Attack Techniques
Having been active since at least 2016, Storm-0324 has diversified its malware distribution techniques. They have previously deployed an array of first-stage payloads, such as:
– Nymaim, a downloader and locker
– Gozi version 3, an info stealer
– Trickbot, a modular malware platform
– Gootkit, a banking trojan
– Dridex, another banking trojan
– Sage ransomware
– GandCrab ransomware
– IcedID, an information-stealing malware
However, since 2019, their primary distribution tool has been JSSLoader, which eventually provides access to the ransomware actor Sangria Tempest.
Storm-0324’s Teams-Based Phishing
In July 2023, Storm-0324 ventured into using Microsoft Teams for phishing, embedding malicious links within chats that direct victims to malicious SharePoint-hosted files. This method likely leverages a public tool known as TeamsPhisher, a Python-based program that malicious actors can exploit to deliver phishing attachments.
To combat this, Microsoft has intensified its countermeasures against such phishing campaigns. Microsoft has suspended identified accounts and tenants linked to suspicious or fraudulent behavior. To further shield users, Microsoft has also enhanced the Accept/Block feature within Teams one-on-one chats, emphasizing the external nature of a user and their email address. This serves as a precautionary measure, urging Teams users to remain wary of unknown or potentially malicious senders.
Defensive Recommendations
To bolster defenses against Storm-0324 attacks, organizations are recommended to:
– Adopt phishing-resistant authentication methods.
– Establish Conditional Access authentication strength.
– Define trusted Microsoft 365 organizations, specifying which external domains can engage in chats and meetings.
– Maintain Microsoft 365 auditing enabled.
– Educate users about potential threats, especially regarding social engineering and credential phishing attacks.
– Emphasize to Microsoft Teams users the importance of verifying ‘External’ tags on messages and refraining from sharing sensitive data over chats.
– Implement Conditional Access App Control in Microsoft Defender for Cloud Apps.
– Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine potential threats.
By adhering to these guidelines and maintaining an active, vigilant stance, organizations can significantly reduce their vulnerability to cyber threats like Storm-0324 and ensure the safety and integrity of their systems and data.
Chat systems such as Slack and Teams need to be acknowledged by organizations as something that poses the same threat level as credential phishing emails. Any system that can be manipulated to take advantage of a user’s trust can be used as a method of entry. For example, websites can have popup advertisements claiming to have detected malware on the user’s computer and offering remediation which is just a technique used to take advantage of the user’s trust in order to install malware. There are a huge number of methods like this that threat actors can use. Treating any one source as being a non-issue or as having a negligible threat level can easily come back to haunt decision-makers. That said, training users in any one platform enables them to apply the same skills and skepticism to any other platform. These incidents really drive home the necessity of organizations using all the tools at their disposal to account for threats they haven’t even yet recognized.
“This is a sophisticated phishing scam that will catch out many victims because they will not realise criminals can hijack on Microsoft Teams to carry out attacks.
People understand the techniques criminals can use to send phishing scams via email, but with Teams being seen as an internal communications platform, employees place more trust in the tool and are more likely to open and action documents they receive in chats.
For organisations that are worried about this threat, it is essential to educate employees on all the different techniques criminals can use to launch phishing attacks – from emails, phone calls, SMS to messaging platforms.
Furthermore, with many of these scams being developed to steal employee credentials, organisations can improve their defences by removing passwords from employee hands. This means even when highly sophisticated scams do reach user inboxes, they can’t be tricked into handing over their credentials because they simply do not know them.
Removing credentials and passwords from users can be achieved by implementing modern Identity Management solutions, which improve security but also remove cumbersome security checks within the enterprise to enhance the user experience and increase operational efficiency.”