Microsoft Enhances Teams Security in Prevention of Storm-0324 Malware Distribution

On September 12, Microsoft released new information about threat actors Storm-0324, a group that gains initial access to systems through email-based phishing and then distributes access to other malicious groups. The transfer of access typically leads to ransomware deployment, making Storm-0324 essentially a middle-man group for system intrusion, one that specializes in initial system penetration. According to Microsoft’s insights, Storm-0324 is associated with various malware strains, including JSSLoader, which facilitates access for ransomware-as-a-service actors like Sangria Tempest (also known as ELBRUS, Carbon Spider, FIN7). In the past, Storm-0324 has been linked to the distribution of malware such as Gozi infostealer and Nymaim downloader and locker.

An example of a typical Storm-0324 attack timeline, from Microsoft Security

Storm-0324’s Expansive Phishing Resume

One of the prime characteristics of Storm-0324 that makes them stand out as threat actors is their ability to craft malicious email chains. They utilize traffic distribution systems (TDS) like BlackTDS and Keitaro in order to tailor user traffic, evading detection by certain security solutions. These emails often appear as legitimate services like DocuSign and Quickbooks, baiting users to click on links that lead to SharePoint-hosted files containing malicious JavaScript. The infection chain that follows typically involves the delivery of a first-stage payload through various file formats, including Microsoft Office documents, Windows Script Files (WSF), and VBScript. According to Microsoft, these payloads have included malware like Nymaim, Gozi, Trickbot, Gootkit, Dridex, Sage ransomware, GandCrab ransomware, and IcedID.

An example of a Storm-0324 phishing email from Microsoft Security

Since 2019, however, Storm-0324 has predominantly been distributing JSSLoader, which ultimately hands off access to prominent ransomware actor Sangria Tempest. This handoff begins with phishing emails referencing invoices or payments, leading victims to a SharePoint site hosting a ZIP archive. Once the JavaScript within this archive is executed, a JSSLoader variant DLL is dropped, followed by additional Sangria Tempest tooling.

New Teams Phish and Microsoft’s Response

In recent developments, Storm-0324 has started using phishing lures sent over Microsoft Teams, leveraging a tool called TeamsPhisher to target users. Microsoft has taken proactive measures to combat these threats, suspending accounts and tenants associated with fraudulent activities. To lessen the impact of this new campaign, they have “rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders,” in essence making it clearer to Teams users when they chat with people outsize of their organization. In addition to these enhancements, they also implemented “new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant,” which will assist in the prevention of impersonation tactics utilized in social engineering.

Microsoft recommends defenders to start implementing steps to prevent Storm-0324 attacks including:

  • Deploy authentication methods that are resilient to phishing attacks, safeguarding user credentials.
  • Require phishing-resistant authentication for employees and external users accessing critical applications, enhancing security.
  • Train users about social engineering and credential phishing threats, emphasizing caution with unsolicited messages and MFA code sharing.
  • Utilize Safe Links in Microsoft Defender for Office 365 to verify URLs and neutralize malicious links.
  • Activate ZAP in Microsoft Office 365 to quarantine and neutralize threats post-delivery.
  • Limit the use of domain-wide, administrator-level service accounts, reducing the risk of unauthorized access and malware installation.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

Copyright © Netizen Corporation. All Rights Reserved.