Analysis of Storm-0558 Techniques for Unauthorized Email Access

Background:

Storm-0558 is a China-based threat actor with activities and methods consistent with cyberespionage objectives. The group has been abusing OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021. From April to July 4, 2023, a new Storm-0558 campaign targeted approximately 25 organizations, including government agencies and related consumer accounts. The actors exploited a validation vulnerability to forge Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key. Storm-0558 proceeded to use PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service to extract email data.

Takeaway:

Microsoft has taken steps to block the underlying validation vulnerability and invalidated the actor-acquired MSA signing key. Storm-0558 has since transitioned to other techniques.

Diplomats Beware: Cloaked Ursa Phishing With a Twist

Background:

In 2023, the Russia-sponsored Cozy Bear group (APT29, Cloaked Ursa, Midnight Blizzard/Nobelium) was involved in direct cyberespionage targeting of various diplomats. From February-March, the group targeted the Turkish Ministry of Foreign Affairs. In May, at least 22 diplomatic missions located in Kyiv, Ukraine were targeted with phishing attachments. In both cases, Microsoft Graph and Dropbox APIs were abused for C2 communication. Payloads detected in these incidents shared encryption implementation and other similarities with previously-reported Cozy Bear malwares such as SNOWYAMBER and QUARTERRIG.

Takeaway:

Network defenders should consider additional scrutiny for attachments with the following file extensions: .hta, .htm, .html, .mht, .mhtml, .svg, .xht and .xhtml. Teach your users to identify mismatched and obfuscated file extension types. Look for hidden files and directories in archives.

Criminals Target Businesses with Malicious Extension for Meta’s Ads Manager and Accidentally Leak Stolen Accounts

Background:

Malwarebytes has identified a Vietnam-based campaign impersonating Facebook Ads Manager to steal Facebook business account cookies. Over 800 victims have been identified worldwide (310 in the USA), with more than $180K in compromised ad budgets. Fake Ads Manager software has been promoted on Facebook pointing to password-protected RAR archives hosted on various cloud accounts (Google, Trello, and others). Extracted MSI installer packages install several components, spawns a new browser window launched with the custom malicious extension pointing the target to the Facebook login page. The attackers steal Facebook cookies and exfiltrate them by abusing Google Analytics. The ultimate goal is to steal ad budgets to place out malicious ads to ensnare more victims and for other malicious purposes.

Takeaway:

Facebook business account owners should regularly review their transactions history. Revoke access to unknown users from your Business Manager account profile. Be cautious around promoted content, double-check domains that offer you installers and other software components.

Storm-0978 Attacks Reveal Financial and Espionage Motives

Background:

RomCom (DEV-0978, Storm-0978) is a Russia-based threat group that has been involved in ransomware operations since at least May 2022 and in cyberespionage since October 2022. The intrusions were utilizing trojanized software, phishing emails, and, most recently, the exploitation of the CVE-2023-36884 remote code execution vulnerability in Microsoft Word. The RomCom cyberespionage campaign in June 2023 included a Ukrainian-themed phishing campaign containing a fake OneDrive loader. It was delivering a backdoor with similarities to the RomCom backdoor to defense and government entities in Europe and North America. The group’s ransomware campaigns can start with the same initial payloads, but they are opportunistic in nature, impacting the telecommunications and finance industries. RomCom was getting system-level privileges and dumps password hashes from the Security Account Manager using the Windows registry. The group then used the Impacket framework’s SMBExec and WMIExec functionalities for lateral movement. In July 2023, RomCom began using a ransomware variant called Underground, which contains significant code overlaps with its previous Industrial Spy ransomware.

Takeaway:

Network defenders are advised to enforce the “Block all Office applications from creating child processes” attack-surface reduction rule. Keep your systems updated, or implement Microsoft CVE-2023-36884-specific recommendations.

PyLoose: Python-Based Fileless Malware Targets Cloud Workloads to Deliver Cryptominer

Background:

First detected on June 22, 2023, a new fileless attack, dubbed PyLoose, has targeted close to 200 cloud workloads (collections of cloud assets collectively supporting a defined process). The attack uses Python code to load an XMRig Miner directly into memory, a technique that is difficult to detect with traditional security solutions. It does so by abusing the Linux memfd RAM-based filesystem. Wiz researchers detected that the initial attack vector was exploiting publicly accessible Jupyter Notebook Services.

Takeaway:

Organizations should limit unnecessary public exposure of Jupyter Notebook services.

Learn about our Penetration Testing Services