In a recent report by Microsoft, it has been revealed that a criminal access broker known as Storm-0324 has been exploiting the trust users have in Microsoft Teams to carry out phishing attacks. This threat actor has been distributing various malware strains, with a particular focus on delivering JSSLoader before granting access to the Sangria Tempest ransomware actor, also known as FIN7.

According to Microsoft, Storm-0324 employs email themes that often reference invoices and payments, imitating well-known services like DocuSign and Quickbooks. Users are then redirected to a SharePoint-hosted compressed file that contains JavaScript which downloads the malicious DLL payload. This deceptive technique allows the threat actor to trick unsuspecting victims into downloading malware.

While Storm-0324 is primarily motivated by financial gain, its attack methods demonstrate a high level of sophistication. The threat actor’s email chains utilize traffic distribution systems (TDS) such as BlackTDS and Keitaro, which enable them to tailor user traffic and evade detection by certain IP ranges that might belong to security solutions like malware sandboxes. This enables Storm-0324 to successfully redirect users to their malicious download site without being detected.

This report highlights the potential risks associated with collaboration tools like Slack and Microsoft Teams. Max Gannon, Senior Cyber Threat Intelligence Analyst at Cofense, believes that organizations need to recognize that these chat systems pose the same level of threat as credential phishing emails. He emphasizes that any system that can be manipulated to exploit a user’s trust can serve as a method of entry for threat actors.

Gannon points out that users should not be complacent when it comes to trusting any particular source. Treating any platform or source as a non-issue or as having a negligible threat level can have serious consequences. To mitigate these risks, Gannon suggests training users in various platforms so they can apply the same skills and skepticism across different sources. Organizations should also utilize all available tools to address threats, even those that may not have been recognized yet.

The Microsoft report serves as a reminder that cybercriminals are constantly evolving their tactics and targeting popular platforms and tools. It is crucial for organizations and users to stay vigilant, continuously educate themselves about potential threats, and implement robust security measures to protect against phishing attacks and malware infections.

As collaboration tools become increasingly integrated into daily business operations, it is important for users and organizations to prioritize security and be cautious when interacting with messages and files, even if they appear to come from trusted sources. By staying proactive and following best practices for cybersecurity, businesses can minimize the risk of falling victim to attacks like those carried out by Storm-0324 and other threat actors.

Link na izvor