Microsoft has reported that an initial access broker, previously associated with ransomware groups, has started to utilise Microsoft Teams phishing tactics for infiltrating corporate networks.
This operation is orchestrated by a financially motivated threat group identified as Storm-0324. They have recently granted access to corporate networks to the well-known FIN7 cybercrime group by compromising them through the use of JSSLoader, Gozi, and Nymaim.
FIN7, also known as Sangria Tempest and ELBRUS, has been observed deploying Clop ransomware on the networks of their victims. This group was previously associated with Maze and REvil ransomware before the BlackMatter and DarkSide ransomware-as-a-service (RaaS) operations ceased to exist.
Microsoft's report on Tuesday revealed that in July 2023, Storm-0324 initiated phishing campaigns via Teams, sending malicious links leading to SharePoint-hosted files. For this purpose, Storm-0324 is likely leveraging an accessible tool known as TeamsPhisher.
TeamsPhisher, an open-source utility, allows attackers to circumvent restrictions on incoming files from external tenants and distribute phishing attachments to Teams users. This tool exploits a security vulnerability in Microsoft Teams. Microsoft declined to address this flaw in July, citing it as not meeting the criteria for immediate attention.
This security issue was also exploited by APT29, the Russian Foreign Intelligence Service's (SVR) hacking division, in attacks against numerous organisations, including government agencies worldwide.
While Microsoft did not specify the ultimate objectives of Storm-0324's latest attacks, APT29's attacks aimed to pilfer victims' credentials by deceiving them into authorising multifactor authentication (MFA) prompts.0324, which has a history of deploying Sage and GandCrab ransomware in earlier campaigns.
To sum up
Through a series of important enhancements and proactive measures, Microsoft has demonstrated its dedication to improving the security of Teams users. By categorising external users more clearly, refining the Accept/Block functionality, and strengthening domain creation restrictions, Microsoft has taken steps to assist users and administrators in identifying and mitigating potential threats.
It's worth emphasising that having a cyber security team on board can be invaluable in monitoring and responding to events like these. A proficient cyber security team not only helps in implementing security measures but also plays a crucial role in proactive threat detection and response. They can identify emerging threats, assess vulnerabilities, and collaborate with organisations like Microsoft to promptly address and mitigate risks.
Microsoft's proactive suspension of compromised tenants and accounts highlights the importance of continuous monitoring and incident response. A cyber security team can assist in setting up monitoring systems, enabling quick detection of unusual activities, and facilitating immediate actions to mitigate potential breaches.
To find out more about our cyber security services here at Cybaverse, click here to see if there is a way we can support you.
