Tuesday, December 24, 2024
HomeCyber Security NewsMicrosoft Teams as a Tool for Storm-0324 Threat Group to Hack Corporate...

Microsoft Teams as a Tool for Storm-0324 Threat Group to Hack Corporate Networks

Published on

SIEM as a Service

According to recent reports, a threat actor known as Storm-0324 has been using email-based initial infection vectors to attack organizations.

However, as of July 2023, the threat actor has been found to have been using Microsoft Teams to send Phishing emails.

Once the threat actor gains access, they hand off the access to other threat actors who continue to further exploit the systems for sensitive information.

- Advertisement - SIEM as a Service

It has also been identified as working alongside the Sangria Tempest ransomware-as-a-service (RaaS) actor, distributing the JSSLoader malware and providing access to the Sangria threat group. 

The attack chain of Storm-0324 involves highly evasive infection chains using invoice and payment lures. Storm-0324 was also found to be distributing payloads from other threat actors through phishing and exploit kit vectors.

It is recommended that companies employ advanced email protection With Trusitifi Inbound Shield, which offers powerful multi-layered scanning technology.

Storm-0324, Sangria Tempest & JSSLoader

Storm-0324 and Sangria Tempest have been working together ever since 2019. Storm-0324 hands-off access to Sangria after delivering the first-stage malware payload, JSSLoader.

The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer, Nymaim downloader, and locker.

The delivery chain begins with a phishing email mentioning a payment or invoice and containing a link to a SharePoint site that hosts a ZIP archive.

The ZIP archive consists of a file with embedded JS code, resulting in the exploitation of the CVE-2023-21715 local security feature bypass vulnerability. When the file is opened, it launches the JS code, which drops a JSSLoader variant DLL. 

In some instances, users might also be asked to enter a security code or password before opening the document, adding an additional level of believability for the user. 

Source: Microsoft 
Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

New Teams-based phishing

As reported by Cyber Security News, Storm-0324 has been using TeamsPhisher, a publicly available tool for sending a Teams message with a malicious link pointing to a malicious SharePoint-hosted file. 

“We[Microsoft] have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders .” reads the report by Microsoft.

In such cases, Trustifi’s AI-powered email security helps you stay one step ahead of today’s malicious email-based threats. – .

Recommendations by Microsoft

As part of defending this threat actor, Microsoft has provided specific recommendations to its users, which are mentioned below,

Microsoft suggests that groups take the steps it gives to stop this threat actor from breaking into their network.

Keep informed about the latest cybersecurity news by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...