What is Happening
A ransomware access broker has been phishing employees via Microsoft Teams, using a publicly available tool called TeamsPhisher. Microsoft has temporarily named the threat actor Storm-0324. The phishing lures are sent over Teams with malicious links leading to a malicious SharePoint-hosted file.
About Storm-0324
Storm-0324 is a temporary name assigned by Microsoft to this particular threat actor and shows that the company has yet to reach high confidence about the origin or identity of the actor behind the operation.
What is known about Storm-0324 is that it is a threat actor providing ransomware gangs with initial access to enterprise systems, as an access broker. It has been around for more than eight years and has previously used exploit kit and email-based vectors to deliver a variety of malware payloads, including banking trojans, information-stealing malware, and ransomware.
About Access Brokers
An access broker is a threat actor that specializes in infiltrating computer systems and networks, then selling that unauthorized access to other cybercriminals. Access brokers are highly skilled in their field and possess a specialized set of tools and techniques to gain initial access to corporate networks. They are a new face of organized cybercrime and are considered a cybercrime enabler.
Impact and Microsoft’s Response
Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware.
Microsoft previously said that the Microsoft Teams vulnerability that allows these attacks “did not meet the bar for immediate servicing.”
Microsoft also notes that it has rolled out several improvements to better defend against these threats, such as
- Suspending identified accounts and tenants associated with inauthentic or fraudulent behavior
- Enhancing the Accept/Block experience in one-on-one chats within Teams
- New restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant
Recommendations to Organizations
Enterprises can take steps to minimize this threat, such as
- Making it impossible for external tenants to contact their employees
- Changing the security settings to only allow communication with certain allow-listed domains
- Training Teams users to not interact with unknown or malicious senders
Furthermore, it would be in the best interest of organizations to consult with threat intelligence companies, such as Prodaft, for proactive defense.
Please see the Microsoft security advisory for more information including full list of recommedations.