Microsoft Teams Hacks Are Back, as Storm-0324 Embraces TeamsPhisher

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Teams Hacks Are Back, as Storm-0324 Embraces TeamsPhisher


Collaboration apps are a boost to business productivity, but also a uniquely attractive target for cyberattackers.



In a campaign carried out this summer, an initial access broker (IAB) used an open source red-team tool to phish organizations via Microsoft Teams, paving the way for follow-on attacks.
The responsible party — known variously as TA543, Storm-0324, and Sagrid — is a financially-motivated threat actor known for using phishing emails to breach targets, before passing the buck to ransomware groups. But in its latest efforts,
revealed by Microsoft on Sept. 12
, it took a different approach: using Microsofts collaboration app to dupe the unsuspecting and create its openings, via the tool known as TeamsPhisher.
The attacks occurred amid a wave of news about other, unrelated vulnerabilities and breaches affecting the Teams platform, providing yet more evidence that researchers and hackers alike are becoming more interested in business communications apps, even after workforces have returned to the office.
Because Microsoft Teams is typically used within, rather than between organizations, it normally isnt possible to, say, send a random file to a user from another Teams tenant (organization).
But researchers have been finding workarounds to that hurdle for a while now. In December,
a red team operator described on Medium
how a little spoofing here and some trickery there could undermine basic security controls in Teams chat, like the ability to start a new chat or erase the Edited tag on an edited message.
Similarly, in June,
two security researchers developed an exploit
for an insecure direct object reference (IDOR) vulnerability, enabling them to bypass Teams client-side security controls to send files to external tenants. In acknowledging the vulnerability, Microsoft informed the researchers that it did not meet the bar for immediate servicing.
And in July, red-team developer Alex Reid proved Microsoft wrong,
combining the work of prior researchers to create TeamsPhisher,
 a tool for simplifying the process of sending messages and files to external Teams tenants.
In its Github entry
, Reid described how simply it works:
Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the senders Sharepoint, and then iterate through the list of targets. TeamsPhisher will first enumerate the target user and ensure that the user exists and can receive external messages. It will then create a new thread with the target user...With the new thread created between our sender and the target, the specified message will be sent to the user along with a link to the attachment in SharePoint.
According to Microsofts research, the Storm-0324 threat actor seems to have pounced on the tool within the very same month it was published.
All of this could spell trouble for organizations down the line. In the past, Storm-0324 has most often used its unauthorized corporate network access to distribute the JSSLoader, then hand over the keys to
the notorious financial and ransomware actor FIN7
(aka Sangria Tempest, ELBRUS, Carbon Spider, Carbanak Group, and Cobalt Group).
In its blog, Microsoft felt the need to distinguish Storm-0324s campaign from
another phishing campaign affecting Teams environments
, carried out by a different threat actor, Midnight Blizzard (aka Nobelium, APT29, UNC2452, and Cozy Bear).
To Steven Spadaccini, vice president of threat intelligence for SafeGuard Cyber, it makes sense that threat actors are increasingly targeting Microsofts collaboration app.
Most business communications today take place outside of traditional email, in collaboration apps like Microsoft Teams. Attackers know this too and are tailoring their attack mechanisms for these high traffic cloud workplace channels, he says, adding that the applications proximity to the rest of the device, and all the other apps on that device, make it a potential entry-point for serious trouble, and account compromise is a key security concern.
Often in fact, organizations dont even realize just how valuable their Teams environments are. Spadaccini cites a recent personal experience, auditing the Teams channel for a healthcare company. 
We determined that 30% of the customers business communications occurred in Teams, he says. This quantifies the continuous stream of risk to the company and the potential avenues for compromise such as data exfiltration and/or IP loss, he says.
According to Justin Klein Keane, director of the cyber fusion center and incident response at MorganFranklin Consulting, Teams doesnt yet face the extent of threats seen on other messaging and productivity platforms.
We have definitely observed targeted attacks using collaboration apps, he says, but surprisingly, Teams is not frequently a component of these attacks, probably owing to its enterprise tenancy and integration with Microsoft Defender for Office 365, which provides for some tight operational controls over Teams (probably leading to Microsoft being able to identify attacks on Teams). Other, more distributed platforms like Discord, Slack, and Telegram have been observed by our Security Operations Center (SOC) as components of attacks.
TeamsPhisher and related attacks that
do
occur over Teams can be prevented by simply toggling off the ability for users in a Microsoft tenant to engage with users of external tenants. But according to Spadaccini, thats just a start towards real, comprehensive protection.
Securing users account settings is a good place to begin, but organizations can go a step further by gaining full visibility into their Microsoft Teams communications to monitor for malicious activity and establishing Microsoft Teams security protocols with solutions that will allow them to customize their policies, and quickly apply those policies across the entire channel, he says. If a company can keep an all-seeing eye on potential threats and manage them from one central hub within its organization, they can leave no risks unseen.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Teams Hacks Are Back, as Storm-0324 Embraces TeamsPhisher