| Blogs on Microsoft Security |
 |
Malware distributor Storm-0324 facilitates ransomware access. Storm-0324 (DEV-0324) is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool for sending phishing lures through Microsoft Teams chats.
|  | Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Since February 2023, Microsoft has observed a high volume of password spray attacks attributed to Peach Sandstorm, an Iranian nation-state group. In a small number of cases, Peach Sandstorm successfully authenticated to an account and used a combination of publicly available and custom tools for persistence, lateral movement, and exfiltration. |  | Uncursing the ncurses: Memory corruption vulnerabilities found in library. Microsoft discovered a set of memory corruption vulnerabilities in a library called ncurses, which provides API that supports text-based user interfaces, and used commonly on POSIX operating systems, including Linux, macOS, and FreeBSD. |
|
| Threat Analytics Reports / Actor, activity & technique profiles (Portal access needed) |
| Activity profile: OAuth apps used in BEC and phishing. Microsoft Threat Intelligence has been monitoring the creation of suspicious OAuth applications by compromised users. This compromise involves initial access through phishing emails that leads to session cookie theft. Some of these applications were used for business email compromise (BEC) financial attacks and sent phishing emails, while other applications remained inactive. In certain cases, compromised users engaged in a BEC attack and create OAuth applications sustain persistence and evade defenses by creating an inbox rule to hide the emails sent by the OAuth application. | | | Technique profile: Brute-force attacks. In an identity attack like brute-force, attackers can gain credentials to one account and access any sensitive resources that users can access, often evading scrutiny by masquerading as the compromised user. This creates a cyclical attack pattern, where one compromised account can provide access to resources for additional credential harvesting, and thus, even further resource access. | | | Activity profile: Emerald Sleet conducts adversary-in-the-middle phishing attacks. On August 7, 2023, Emerald Sleet (THALLIUM) conducted a targeted phishing, also referred to as spear phishing, attack against an individual associated with an organization focused on foreign relations and public policy. | | | CVE-2023-36802 Elevation of Privilege in Microsoft Streaming Service Proxy. Microsoft discovered limited exploitation of an Elevation of Privilege MSKSSRV.sys (the Microsoft Streaming Service Proxy) in the wild. | | | Actor Profile: Emerald Sleet. The threat actor Microsoft tracks as Emerald Sleet (THALLIUM) is a nation-state actor based out of North Korea and has been active since at least 2013. The threat actor is known to primarily target individuals working in international affairs, with a special focus on those whose work relates to North-Eastern Asia, as well as non-government organizations, government agencies and services, and media in North America, South America, Europe, and East Asia. | | | Actor profile: Onyx Sleet. The actor Microsoft tracks as Onyx Sleet (PLUTONIUM) is a North Korea-affiliated activity group, active since at least 2014. Onyx Sleet is known to primarily target military, defense, and technology industries, predominately in India, South Korea, and the United States. | | | Activity profile: Malicious OAuth applications being used to automate spam. Microsoft Security Threat Intelligence has been tracking the abuse of OAuth applications that access organizational data and manipulate administrative settings to achieve an attacker’s intent. This large-scale campaign was uncovered when several malicious OAuth applications were created and abused to automate spam email delivery to targets. These malicious applications created by the actor typically have permissions to send emails in the context of the consenting user. | | | Technique profile: QR code phishing with adversary-in-the-middle capability. The use of QR codes (quick-response codes) in phishing emails is a technique used by threat actors to circumvent phishing protections, such as multifactor authentication (MFA). This technique appears in phishing kits with adversary-in-the-middle (AiTM) capabilities. | | | Technique profile: VM extension abuse. Microsoft Threat Intelligence researchers have identified threat actors abusing VM extensions to facilitate ransomware and extortion, cryptocurrency mining operations, and nation-state linked espionage gathering. | | | Actor profile: Storm-0337. The actor that Microsoft tracks as Storm-0337 is a nation-state activity group based out of China. Storm-0337 has primarily targeted organizations in the United States and Southeast Asia. Storm-0337 has used several malware families, including Keyplug and Cobalt Strike. | | | Technique profile: Pivoting from on-premises to cloud using Microsoft Entra Connect. In recent months, Microsoft Research identified numerous instances of attacks aimed at infiltrating targets' cloud environments by gaining a foothold in their Microsoft Entra Connect servers with the goal of deploying ransomware in the observed cases, causing destructive operations, and maintaining persistence in the target environments. Once inside the cloud, attackers employ a variety of malicious techniques, such as deploying backdoors, escalating privileges, and conducting destructive operations, such as deletion of cloud resources. | | | Actor profile: Charcoal Typhoon. The actor Microsoft tracks as Charcoal Typhoon (CHROMIUM) is a nation-state sponsored group operating from China with a primary motive to perform espionage and collect intelligence on targets. While the group primarily targets entities in the Asia region, they have also impacted European and North American entities. | | | Activity profile: Qakbot distributor Storm-0464 shifts to DarkGate and IcedID. Storm-0464 (DEV-0464) is a financially motivated access broker known for distributing Qakbot and facilitating access to hands-on-keyboard ransomware operators like Storm-0506, Storm-0216, and Storm-0826 who deploy Black Basta ransomware. Storm-0464 also distributed other malware, such as SquirrelWaffle and Pikabot. In September 2023, the group began leveraging DarkGate and IcedID in their initial access campaigns. Storm-0464 is tracked by other security companies as TA577. | | | Actor profile: Sapphire Sleet. The actor that Microsoft tracks as Sapphire Sleet (formerly COPERNICIUM) is a nation-state sponsored group operating from North Korea since as early as March 2020. The group focuses primarily on organizations in the cryptocurrency sector, but has been observed expanding their targets to banks within the financial services sector since September 2022. | | | Actor profile: Storm-0485. The actor Microsoft tracks as Storm-0485 is associated with prolific credential phishing activity that has been ongoing since Microsoft began tracking the actor in October 2021. Storm-0485 phishing attacks can circumvent multi-factor authentication (MFA) protections through adversary-in-the-middle (AiTM) capabilities. |
|
|
