norm. threat bulletin: 20th September 2023

Corporate employees the new target of Microsoft Teams phishing campaign

In a recent posting by their threat intelligence team, Microsoft have announced that they have uncovered a new phishing campaign orchestrated by the threat actor known as Storm-0324, which they had first observed back in July 2023. Storm-0324 acts a distributor in the economy of cyber cybercriminals, providing the service of distributing the malicious payloads from other attackers through the means of phishing and other exploitation attack vectors.

In the past, Storm-0324 have been a common factor in phishing campaigns, with several of their attacks leveraging the same attack methodology. For these attacks, phishing emails would be sent out to targets, with these emails referencing invoices, payments, and other monetary information, with the hopes of interesting or panicking the target. The email would also contain a link to a SharePoint site which hosted a ZIP file. This ZIP would contain a file with embedded JavaScript code which, when launched, would drop a JSSLoader malware DLL onto the system.

This new campaign has been carefully monitored by Microsoft, and this has allowed their threat intel team to uncover how the campaign works. They have identified that this campaign leverages a publicly available tool known as “TeamsPhisher”, which is a python-based tool that allows Teams tenant users to attach malicious files to Teams messages and send them to external tenants. This is an especially big issue due to the lack of knowledge that a lot of users have regarding Teams and the ability to manipulate it for malicious usage. However, users can only receive messages from external sources if external access is enabled by the organisation, so if that feature isn’t enabled, you shouldn’t be affected.

Microsoft has already rolled out several improvements to attain better defence against these kinds of attacks, including the suspension of accounts/tenants associated with fraudulent behaviour. Microsoft have also implemented enhancements to the Accept/Block experience within Teams, specifically One-on-One chats.

The Cyber Safety and Phishing module from norm. can educate users on how to spot a likely malicious email. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious emails and links. It is also recommended to take a minute to assess an email or message before responding and never give any remote access to your device.

References:
Malware distributor Storm-0324 facilitates ransomware access | Microsoft Security Blog
Microsoft Teams warns of another dangerous phishing attack spreading ransomware (msn.com)
New Microsoft Teams Phishing Campaign Targets Corporate Employees – Infosecurity Magazine (infosecurity-magazine.com)

Microsoft Patch Tuesday – September 2023

September 2023, Microsoft Patch Tuesday has come around again, and Microsoft has patched Five critical vulnerabilities, 2 zero-days, and 59 flaws. As well as 2 non-Microsoft flaws in Electron and Autodesk.

According to Microsoft, several flaws have been fixed in their software patches such as Denial of Service (DoS), Information Disclosure, Remote Code Execution, Spoofing and more.

Here are 2 Zero-day attacks patched by Microsoft:

The Microsoft Streaming Service Proxy elevation of Privilege Vulnerability (CVE-2023-36802)

Microsoft Stream allows users to share information and improves communication and connectivity in a secure enterprise environment. A privilege escalation attack: “Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.” via Microsoft. This involves malicious programs running in order to elevate local privileges. This attack has been added to CISA “Known Exploited Vulnerabilities Catalogue” due to evidence of an active exploitation. In a quote Senior staff research engineer from Tenable had told Dark Reading. Satnam Narang said, “it is the eighth elevation of privilege zero-day vulnerability exploited in the wild in 2023.”. Elevation of Privilege is a strong tool in a hacker’s arsenal and updating software is high priority, without this vulnerability, exploits providing access may inherently be less destructive. CISA strongly urges the patching of said vulnerability.

Microsoft Word Information Disclosure Vulnerability (CVE-2023-36761)

Microsoft Word is a common format and often used for sharing writing, images, reports and more. Word files containing this exploit will give hackers access to password hashes and other important data. A high severity score of 7.8 was given due to the exploits’ actions working with the ‘preview’ option on outlook as well. NTLM hashes can be stolen via this malware’s exploitation. NTLM hashes are cryptographic formats which Microsoft Windows systems use to store passwords. The NTLM algorithm is based on MD4 and can be cracked. An important point made by Dustin Childs in the Microsoft September patch release was that “Regardless of the classification, the preview pane is a vector here as well, which means no user interaction is required. Definitely put this one on the top of your test-and-deploy list.”

Lastly, a Critical Severity Vulnerability patch:

Internet Connection Sharing (ICS) Remote Code execution Vulnerability (CVE-2023-38148)

Internet Connection Sharing is a Windows service to share internet connection with other computers Via local area network (LAN). This exploit allows attackers to attack machines connected via the same virtual network segment or switch as them but not over multiple different networks. Access to a machine on the local network and/or physical access to the local area may give attackers a way into gaining new privileges and infecting more machines. Exploiting each machine via crafted network packets being sent over the ICS and to the victim asset, and further until each machine is infected.

References:
Microsoft and Adobe Patch Tuesday, September 2023 Security Update Review (qualys.com)
BatLoader Unleashed in Ongoing Webex Malvertising Campaign (cyware.com)
Microsoft Patches a Pair of Actively Exploited Zero-Days (darkreading.com)
CVE-2023-36802 Detail (nist.gov)

DarkGate Loader

As reported last week, since August 2023, a new malware campaign ‘DarkGate Loader’, has been identified delivering malware via Microsoft Teams, prior to this the malware was seen being delivered by the more traditional email campaigns.

norm. has worked with three instances of this malware already whereby Microsoft Teams chat messages are being sent by external Office 365 accounts, these accounts have been compromised and are used to host malware in their SharePoint. 

norm. recommends that organisations lock down their Microsoft Teams permissions to restrict external users and organisations from sending messages to their organisation.

For full details of the malware and remediation actions take a look at our 12/09/2023 Threat Alert.

Should you receive any suspect messages or have any concerns over your company’s environment please contact the norm. Incident Response team 24 hours a day on 0203 855 5303.