Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector. FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its C2 servers. It was first observed being used against targets in early November 2023.

Microsoft has identified new Qakbot phishing campaigns following the August 2023 law enforcement disruption operation. The campaign began on December 11, was low in volume, and targeted the hospitality industry. Targets received a PDF from a user masquerading as an IRS employee. The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export “hvsi” execution of an embedded DLL. The MSI package was signed with the SignerSha1/Thumbprint 50e22aa4b3b145fe1193ebbabed0637fa381fac3.

Microsoft has taken steps to disrupt and mitigate a widespread campaign by the Russian nation-state threat actor Midnight Blizzard targeting TeamCity servers using the publicly available exploit for CVE-2023-42793. Following exploitation, Midnight Blizzard uses scheduled tasks to keep a variant of VaporRage malware persistent. The VaporRage variant, which is similar to malware deployed by the threat actor in recent phishing campaigns, abuses Microsoft OneDrive and Dropbox for C2.

Microsoft has identified a Russian-based nation-state threat actor tracked as Forest Blizzard (STRONTIUM, APT28, FANCYBEAR) actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers: msft.it/6018iPOLm Forest Blizzard primarily targets government, energy, transportation, and non-governmental orgs in the US, Europe, and the Middle East. The threat actor also commonly employs other known public exploits in their attacks, such as CVE-2023-38831 or CVE-2021-40444, among others.

Microsoft has detected Danabot (Storm-1044) infections leading to hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of Cactus ransomware. In this campaign, Danabot is distributed via malvertising. Storm-0216 has historically received handoffs from Qakbot operators but has since pivoted to leveraging different malware for initial access, likely a consequence of the Qakbot infrastructure takedown.

Microsoft has discovered exploitation of a 0-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest, a threat actor that distributes Clop ransomware. Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched. Organizations using SysAid should apply the patch and look for any signs of exploitation prior to patching, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware. msft.it/60129CIJy

The threat actor that Microsoft tracks as Sapphire Sleet, known for cryptocurrency theft via social engineering, has in the past few weeks created new websites masquerading as skills assessment portals, marking a shift in the persistent actor’s tactics. Sapphire Sleet, which overlaps with threat actors tracked by other researchers as BlueNoroff, CageyChameleon, and CryptoCore, is a nation-state sponsored threat actor based in North Korea and has targeted organizations in the cryptocurrency sector.

Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy. The four IP addresses below were observed sending related CVE-2023-22515 exploit traffic:
192.69.90[.]31
104.128.89[.]92
23.105.208[.]154
199.193.127[.]231

Adversary-in-the-middle (AiTM) phishing techniques continue to proliferate through the phishing-as-a-service (PhaaS) cybercrime model, as seen in the increasing number of-AiTM capable PhaaS platforms throughout 2023. In addition to new PhaaS services, established phishing services like PerSwaysion have added AiTM capabilities. This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale.

Microsoft has observed a new version of the BlackCat ransomware being used in recent campaigns. This version includes the open-source communication framework tool Impacket, which threat actors use to facilitate lateral movement in target environments. The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments.

Microsoft has identified targeted attacks against the defense sector in Ukraine and Eastern Europe by the threat actor Secret Blizzard (KRYPTON, UAC-0003) leveraging DeliveryCheck, a novel .NET backdoor used to deliver a variety of second stage payloads. msft.it/6019gfoYU DeliveryCheck is distributed via email as documents with malicious macros. It persists via a scheduled task that downloads and launches it in memory. It also contacts a C2 server to retrieve tasks, which can include the launch of arbitrary payloads embedded in XSLT stylesheets.

Microsoft has detected increased credential attack activity by the threat actor Midnight Blizzard using residential proxy services to obfuscate the source of their attacks. These attacks target governments, IT service providers, NGOs, defense industry, and critical manufacturing. These credential attacks use a variety of password spray, brute force, and token theft techniques. Midnight Blizzard (NOBELIUM) has also conducted session replay attacks to gain initial access to cloud resources leveraging stolen sessions likely acquired via illicit sale.

Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. Exploitation is often followed by deployment of a web shell w/ data exfil capabilities. CVE-2023-34362 allows attackers to authenticate as any user. Lace Tempest (Storm-0950, overlaps w/ FIN11, TA505) authenticates as the user with the highest privileges to exfiltrate files.

More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350. After public POCs were published for CVE-2023-27350, Mint Sandstorm & Mango Sandstorm quickly adapted the exploit in their operations to achieve initial access. This activity shows Mint Sandstorm’s continued ability to rapidly incorporate POC exploits into their operations.

Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505). Lace Tempest (DEV-0950) is a Clop ransomware affiliate that has been observed using GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. The threat actor incorporated the PaperCut exploits into their attacks as early as April 13.

As a recent investigation shows, business email compromise (BEC) attacks move fast—from signing in with compromised credentials & registering domains to setting inbox rules & hijacking a thread—highlighting the need to quickly detect and disrupt malicious actions leading to BEC. In this attack, after signing in, attackers spent about 2 hours searching the compromised account’s mailbox for an email thread to hijack. Finding one, the attackers registered 2 homoglyph domains, one to impersonate the target org, one for a partner org relevant to the thread.

Microsoft researchers are tracking an ongoing wide-ranging click fraud campaign where attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices. Microsoft attributes the attack to a threat actor tracked as DEV-0796. This campaign begins with an ISO file that's downloaded when a user clicks malicious ads or YouTube comments. When opened, the ISO file installs a browser node-webkit (NW.js) or a browser extension. We’ve also seen the use of DMG files, indicating multi-platform activity.

We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang. The updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability. The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access.

Microsoft recently observed a campaign targeting SQL servers that, like many attacks, uses brute force methods for initial compromise. What makes this campaign stand out is its use of the in-box utility sqlps.exe. Defenders typically monitor the use of PowerShell in their environment. The sqlps.exe utility, which comes with all versions of SQL by default, has similar functionality and is equally worthy of increased scrutiny.

SocGholish, a malware distribution network, started updating its tradecraft toward the end of 2021 with new C2 infrastructure almost every month, additional ways to deploy Cobalt Strike, and the use of publicly available tools for discovery and credential dumping. These campaigns led to the deployment of tools like PowerSploit, Rubeus, PowerShell Nishang modules, PrivescCheck, and SharpPack. Their notable features include the use of BLISTER loaders and tampering with legitimate DLLs where export was modified to launch Cobalt Strike.

The email campaign abusing the Craigslist messaging system continues to evolve and has been observed delivering Qakbot. The latest emails don’t have clickable links; they contain just an image instructing recipients to manually enter a URL on a browser. The updates make the campaign, first exposed by @InkyPhishFence, even more evasive. The earlier emails carried a link to a malicious Excel file, but abusing the Craigslist messaging system means the emails are sent from the Craigslist infra and private contact data is anonymized.