Rewterz Threat Advisory – CVE-2023-32461 – Dell PowerEdge BIOS and Dell Precision BIOS Vulnerability
September 18, 2023Rewterz Threat Advisory – Multiple WordPress Plugins Vulnerabilities
September 18, 2023Rewterz Threat Advisory – CVE-2023-32461 – Dell PowerEdge BIOS and Dell Precision BIOS Vulnerability
September 18, 2023Rewterz Threat Advisory – Multiple WordPress Plugins Vulnerabilities
September 18, 2023Severity
High
Analysis Summary
Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing campaigns in order to breach corporate networks.
This threat group is financially motivated and is tracked as Storm-0324. This actor has also been linked to the deployment of various ransomwares like Sage and GandCrab.
In the past, Storm-0324 has also been seen providing access to corporate networks to cybercrime gangs like FIN7. FIN7 (aka Sangria Tempest and ELBRUS) is infamous for deploying Clop ransomware on their victim’s networks, as well as linked to Maze and REvil ransomware.
“In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file. For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher.”, according to Microsoft.
TeamsPhisher is an open-source tool that allows attackers to bypass restrictions for files coming from external accounts, which helps in easily sending phishing attachments to users on Teams. This is done by exploiting a vulnerability in Microsoft Teams that Microsoft refused to address back in July.
This issue was also exploited by Russia-backed APT29 in their attacks against various governments and organizations worldwide. They tricked victims into approving multifactor authentication with the aim of stealing their credentials.
After detecting Storm-0324’s phishing attacks on Teams, Microsoft finally suspended all the accounts that were used in this campaign. The company stated that they have been working to stop all these attacks and protect the users. Any threat actors using these phishing tactics are now recognized as “EXTERNAL” users in cases where external access is enabled in the organization’s settings.
Impact
- Credential Theft
- Sensitive Data Theft
- Financial Loss
- Identity Theft
Remediation
- Implement multi-factor authentication (MFA) and strong password policies to enhance access control.
- Regularly update and patch software and systems to mitigate vulnerabilities.
- Conduct regular security audits and penetration testing to identify and address weaknesses.
- Encrypt sensitive customer and investor data both in transit and at rest to prevent unauthorized access in case of a breach.
- Ensure secure storage of backups and sensitive information with access restricted to authorized personnel only.
- Train employees and staff on cybersecurity best practices and how to recognize phishing attempts and social engineering tactics.
- Develop a robust incident response plan that outlines steps to take in the event of a breach. This should include procedures for containment, investigation, and notification of affected parties.
- Evaluate and enhance the security of third-party vendors and partners who have access to sensitive data.
Microsoft also suggests some recommendations including:
- Pilot and deploy phishing-resistant authentication methods for users.
- Implement Conditional Access authentication strength, requiring phishing-resistant authentication for both employees and external users for critical applications.
- Specify trusted Microsoft 365 organizations to determine which external domains are allowed or blocked for chat and meeting purposes.
- Keep Microsoft 365 auditing enabled to ensure that audit records are available for investigation when necessary.
- Evaluate and select the most suitable access settings for external collaboration within your organization.
- Only allow known devices that adhere to Microsoft’s recommended security baselines.
- Educate users about social engineering and credential phishing attacks, emphasizing the importance of not entering Multi-Factor Authentication (MFA) codes from unsolicited messages.
- Educate Microsoft Teams users to verify ‘External’ tags on communication attempts from external sources, be cautious about sharing information, and never share account credentials or authorize sign-in requests over chat.
- Configure Microsoft Defender for Office 365 to recheck links on click, enhancing protection against malicious links in various Microsoft applications.
- Practice the principle of least privilege and maintain strong credential hygiene, avoiding the use of domain-wide administrator-level service accounts.
- Turn on cloud-delivered protection and automatic sample submission in Microsoft Defender Antivirus to quickly identify and stop new and unknown threats.