Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor. To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an PDF attachment.

In the last quarter of 2024, Microsoft Threat Intelligence observed developments in the ransomware ecosystem that researchers and defenders should watch for in 2025. 🧵 Exploitation of vulnerabilities remains a key method for initial access. In October, the threat actor Lace Tempest, known for exploiting 0-days in file-transfer software, was observed exploiting vulnerabilities in Cleo products (CVE-2024-50623, CVE-2024-55956).

Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. msft.it/6011W3CGX Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection.

Microsoft observed the financially motivated threat actor tracked as Vanilla Tempest using INC ransomware for the first time to target the healthcare sector in the United States. Vanilla Tempest receives hand-offs from Gootloader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool.

In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns. Octo Tempest, known for its sophisticated social engineering techniques, identity compromise and persistence, focus on targeting VMWare ESXi servers, and deployment of BlackCat ransomware, accounts for a significant bulk of our investigations and incident response engagements.

Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector. FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its C2 servers. It was first observed being used against targets in early November 2023.

Microsoft has identified new Qakbot phishing campaigns following the August 2023 law enforcement disruption operation. The campaign began on December 11, was low in volume, and targeted the hospitality industry. Targets received a PDF from a user masquerading as an IRS employee. The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export “hvsi” execution of an embedded DLL. The MSI package was signed with the SignerSha1/Thumbprint 50e22aa4b3b145fe1193ebbabed0637fa381fac3.

Microsoft has taken steps to disrupt and mitigate a widespread campaign by the Russian nation-state threat actor Midnight Blizzard targeting TeamCity servers using the publicly available exploit for CVE-2023-42793. Following exploitation, Midnight Blizzard uses scheduled tasks to keep a variant of VaporRage malware persistent. The VaporRage variant, which is similar to malware deployed by the threat actor in recent phishing campaigns, abuses Microsoft OneDrive and Dropbox for C2.

Microsoft has identified a Russian-based nation-state threat actor tracked as Forest Blizzard (STRONTIUM, APT28, FANCYBEAR) actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers: msft.it/6018iPOLm Forest Blizzard primarily targets government, energy, transportation, and non-governmental orgs in the US, Europe, and the Middle East. The threat actor also commonly employs other known public exploits in their attacks, such as CVE-2023-38831 or CVE-2021-40444, among others.

Microsoft has detected Danabot (Storm-1044) infections leading to hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of Cactus ransomware. In this campaign, Danabot is distributed via malvertising. Storm-0216 has historically received handoffs from Qakbot operators but has since pivoted to leveraging different malware for initial access, likely a consequence of the Qakbot infrastructure takedown.

Microsoft has discovered exploitation of a 0-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest, a threat actor that distributes Clop ransomware. Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched. Organizations using SysAid should apply the patch and look for any signs of exploitation prior to patching, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware. msft.it/60129CIJy

The threat actor that Microsoft tracks as Sapphire Sleet, known for cryptocurrency theft via social engineering, has in the past few weeks created new websites masquerading as skills assessment portals, marking a shift in the persistent actor’s tactics. Sapphire Sleet, which overlaps with threat actors tracked by other researchers as BlueNoroff, CageyChameleon, and CryptoCore, is a nation-state sponsored threat actor based in North Korea and has targeted organizations in the cryptocurrency sector.

Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy. The four IP addresses below were observed sending related CVE-2023-22515 exploit traffic:
192.69.90[.]31
104.128.89[.]92
23.105.208[.]154
199.193.127[.]231

Adversary-in-the-middle (AiTM) phishing techniques continue to proliferate through the phishing-as-a-service (PhaaS) cybercrime model, as seen in the increasing number of-AiTM capable PhaaS platforms throughout 2023. In addition to new PhaaS services, established phishing services like PerSwaysion have added AiTM capabilities. This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale.

Microsoft has observed a new version of the BlackCat ransomware being used in recent campaigns. This version includes the open-source communication framework tool Impacket, which threat actors use to facilitate lateral movement in target environments. The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments.

Microsoft has identified targeted attacks against the defense sector in Ukraine and Eastern Europe by the threat actor Secret Blizzard (KRYPTON, UAC-0003) leveraging DeliveryCheck, a novel .NET backdoor used to deliver a variety of second stage payloads. msft.it/6019gfoYU DeliveryCheck is distributed via email as documents with malicious macros. It persists via a scheduled task that downloads and launches it in memory. It also contacts a C2 server to retrieve tasks, which can include the launch of arbitrary payloads embedded in XSLT stylesheets.

Microsoft has detected increased credential attack activity by the threat actor Midnight Blizzard using residential proxy services to obfuscate the source of their attacks. These attacks target governments, IT service providers, NGOs, defense industry, and critical manufacturing. These credential attacks use a variety of password spray, brute force, and token theft techniques. Midnight Blizzard (NOBELIUM) has also conducted session replay attacks to gain initial access to cloud resources leveraging stolen sessions likely acquired via illicit sale.

Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. Exploitation is often followed by deployment of a web shell w/ data exfil capabilities. CVE-2023-34362 allows attackers to authenticate as any user. Lace Tempest (Storm-0950, overlaps w/ FIN11, TA505) authenticates as the user with the highest privileges to exfiltrate files.

More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350. After public POCs were published for CVE-2023-27350, Mint Sandstorm & Mango Sandstorm quickly adapted the exploit in their operations to achieve initial access. This activity shows Mint Sandstorm’s continued ability to rapidly incorporate POC exploits into their operations.

Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505). Lace Tempest (DEV-0950) is a Clop ransomware affiliate that has been observed using GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. The threat actor incorporated the PaperCut exploits into their attacks as early as April 13.

As a recent investigation shows, business email compromise (BEC) attacks move fast—from signing in with compromised credentials & registering domains to setting inbox rules & hijacking a thread—highlighting the need to quickly detect and disrupt malicious actions leading to BEC. In this attack, after signing in, attackers spent about 2 hours searching the compromised account’s mailbox for an email thread to hijack. Finding one, the attackers registered 2 homoglyph domains, one to impersonate the target org, one for a partner org relevant to the thread.