In a recent cybersecurity alert, Microsoft drew attention to an emerging phishing strategy where perpetrators are harnessing Microsoft Teams messages to breach enterprise systems.
The company’s Threat Intelligence unit has been actively monitoring the group, known as Storm-0324. Other aliases for the same group include TA543 and Sagrid.
Microsoft reported, “Since July 2023, our observations show Storm-0324 leveraging an open-source utility to dispatch phishing baits via Microsoft Teams chats.” This indicates a notable pivot from the conventional email-first methods of launching cyberattacks.
Functioning primarily as a distributor within the digital underworld, Storm-0324 specializes in disseminating an array of malicious payloads, utilizing elusive infection trajectories. Their repertoire comprises varied malicious software, ranging from banking trojans like Gozi and TrickBot to ransomware strains like GandCrab and Sage.
Previously, their method involved dispatching deceptive emails, usually mimicking invoices or payments, urging recipients to download malicious ZIP files stored on SharePoint. These ZIP files frequently housed JSSLoader, a notorious malware known for its capabilities to gauge the profile of compromised systems and deploy supplementary malware.
Microsoft stated, “Their email strategies are intricately crafted, frequently deploying traffic management platforms like BlackTDS and Keitaro. These platforms have the prowess to customize user traffic and evade certain security parameters.”
Having successfully infiltrated a system, the malicious software opens doors for ransomware syndicates such as Sangria Tempest (alternatively known as Carbon Spider, ELBRUS, and FIN7) to carry out further exploitative maneuvers and execute file-encryption ransomware.
Phishing Paradigm Shift
By July 2023, there’s been a noticeable change in their approach. The phishers have now turned to Teams, dispatching malicious links that point to malevolent ZIP files on SharePoint. This transformation is credited to an open-source utility dubbed TeamsPhisher. This tool was designed to exploit a shortcoming that JUMPSEC brought to the limelight in June 2023. A similar strategy was seen in action by the Russian-based entity APT29 (alias Midnight Blizzard) who targeted around 40 global corporations in May 2023.
In response to this threat, Microsoft has fortified its security defenses and has acted promptly to “suspend accounts and associated entities demonstrating suspicious or deceptive behaviors.”
The company emphasized the significance of early detection and mitigation, stating, “Timely identification and action against Storm-0324’s intrusions can avert the potentially catastrophic aftermath of ransomware invasions.”
Adding to the cybersecurity landscape, Kaspersky unveiled a comprehensive report about the modus operandi of the infamous Cuba ransomware entity, also recognized by names like COLDDRAW and Tropical Scorpius. The researchers also unveiled a fresh pseudonym “V Is Vendetta”, believed to be associated with a subsidiary or an affiliate of the group.
The Cuba group, staying true to the RaaS model, exploits vulnerabilities like ProxyLogon, ZeroLogon, and some glitches in Veeam Backup & Replication software. Their end game is typically deploying tools like Cobalt Strike or their proprietary backdoor, BUGHATCH.
Commenting on the menace, Kaspersky mentioned, “The Cuba cybercriminal unit boasts a diverse toolkit. Their array spans from publicly accessible tools to their tailored solutions. Their methodologies, some quite treacherous, are always up-to-date.”
2023 has seen a marked escalation in ransomware incidents. A recent report from the U.K. National Cyber Security Centre (NCSC) and National Crime Agency (NCA) stated, “Emphasizing specific ransomware variations can be misleading. Most breaches aren’t a result of advanced tactics but more due to opportunistic entries, usually because of inadequate cybersecurity measures.”