Skip to main content

Microsoft Teams-Based Phishing Alert

Recent findings reveal a novel phishing technique that leverages Teams messages, aiming to penetrate business networks. The campaign, spearheaded by an initial access broker, has been named Storm-0324 by tech analysts. Other recognized aliases for the same are TA543 and Sagrid.

Starting from July 2023, Storm-0324 reportedly utilized an open-source software to dispatch phishing baits via Microsoft Teams chats. This modus operandi represents a deviation from the commonly used email vectors.

Predominantly, Storm-0324 functions as a payload distributor within the cybercriminal landscape, facilitating the dissemination of diverse malware strains. Notable mentions include Nymaim, Gozi, TrickBot, and several others.

In their earlier strategies, the group relied on deceptive emails, usually invoice or payment themed, which prompted users to download harmful ZIP files from SharePoint. These ZIPs carried the JSSLoader malware, which can diagnose infected systems and deliver supplementary malicious payloads.

Isogent’s analysis mirrors Microsoft’s observations which noted, “The actor employs evasive email chains using systems like BlackTDS and Keitaro. These allow tailoring of user traffic, enabling the bypass of certain security measures and leading victims to their harmful download platforms.”

Following the malware’s successful deployment, the ransomware group known as Sangria Tempest gains access. This group, also referred to as Carbon Spider and FIN7, then executes further exploitative maneuvers and initiates file encryption malware.

A Modern Approach to Phishing

A more contemporary version of the phishing campaign emerged in July 2023. Instead of emails, attackers sent Teams messages embedded with malevolent links. These links directed users to a harmful ZIP file situated on SharePoint. This transition is attributed to an open-source tool, TeamsPhisher, which permits Teams users to attach files to messages meant for external recipients. This method appears to exploit a vulnerability spotlighted by JUMPSEC in June 2023.

It’s significant to acknowledge a parallel strategy embraced by the Russian cyber entity, APT29, in May 2023. They targeted approximately 40 global enterprises using a similar technique.

To counteract these threats, security enhancements have been rolled out, and suspicious accounts linked to fraudulent activities have been suspended.

Highlighting the severity, Isogent stresses, “Recognizing and addressing Storm-0324 actions is vital, as it can preempt severe subsequent attacks, especially ransomware.”

Recent Disclosures in Cybersecurity

Adding to the cybersecurity discourse, Kaspersky recently unveiled tactics used by the infamous ransomware outfit known as Cuba. Additionally, a new alias, “V Is Vendetta,” was identified, believed to be linked to a sub-group or affiliate.

Emulating the ransomware-as-a-service model, this group targets global companies, profiting from their illicit operations. Their attack methodologies involve exploiting various vulnerabilities to introduce malware such as Cobalt Strike and BUGHATCH.

2023 has seen a considerable surge in ransomware attacks. Authorities like the U.K. National Cyber Security Centre and National Crime Agency emphasize the importance of solid cyber hygiene. They pointed out, “While focusing on particular ransomware types can be perplexing, the root of most attacks is generally due to poor cyber practices.”

Stay Protected with Isogent

In this evolving digital landscape, staying updated and vigilant is paramount. Trust Isogent for insights, best practices, and solutions to safeguard your business assets

Protect Your Business With Isogent’s Synchronized Security Stack

With our Synchronized Security Stack, your organization will be protected from every type of cyberattack and threat. Set up a technology or security assessment today with one of our experts to see how protected your business really is.

Leave a Reply