Microsoft Threat Intelligence

Microsoft's Digital Crimes Unit (DCU) is disrupting the technical infrastructure used by a persistent Russian nation-state threat actor that Microsoft tracks as Star Blizzard. The US District Court for the District of Columbia unsealed a civil action brought by Microsoft’s DCU, including its order authorizing Microsoft to seize 66 unique domains used by Star Blizzard in cyberattacks targeting Microsoft customers globally, including throughout the United States. https://msft.it/6040mUXoi Star Blizzard has continuously refined their detection evasion capabilities while remaining focused on email credential theft against the same targets. This blog provides updated technical information about Star Blizzard tactics, techniques, and procedures (TTPs), including their use of multiple registrars to register domain infrastructure, multiple link-shortening services and legitimate websites with open redirects, and altered legitimate email templates as spear-phishing lures: https://msft.it/6041mUXoc

The financially motivated cybercriminal group that Microsoft tracks as Storm-0501 has been observed exfiltrating data and deploying Embargo ransomware after moving laterally from on-premises to the cloud environment. The said attacks also involve credential theft, tampering, and persistent backdoor access. Storm-0501 exploited known vulnerabilities to gain initial access and used various open-source and commodity tools to steal credentials and move laterally within the network. The threat actor leveraged their level of access to exfiltrate sensitive data, evade detection, and gain control of the cloud environment. The actor subsequently created a backdoor to the cloud environment to maintain persistent access, and deployed Embargo ransomware on the on-premises environment to extort their target. In this blog post, we share our findings on the recent attack conducted by Storm-0501 and provide recommendations and mitigations to help customers protect themselves from this threat and similar ransomware attacks. https://msft.it/6041m5gPx

In this episode of The Microsoft Threat Intelligence Podcast, Microsoft experts discuss the impact of defenders having tools such as Kusto Query Language (KQL) to hunt for threats, as well as attackers using social engineering and PowerShell to deploy malware such as infostealers. KQL is a query language that enables security operations to look through their data and surface potential threats within their environment quickly and efficiently. It is a powerful tool to discover patterns and identify anomalies, and can provide actionable data that can be used to respond to threats such as phishing and ransomware. Senior Program Manager Rod Trent, Principal Security Research Manager Matthew Zorich, and Principal Product Manager for Customer Experience Engineering Mark Morowczynski share their experiences learning to use KQL, and their process in writing the book The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending, and Threat Hunting. Senior Threat Hunter Lekshmi Vijayan from Microsoft Defender Experts for Hunting also joins the episode to discuss how attackers are using PowerShell in their campaigns. She mentions a technique, initially observed in June, wherein attackers use social engineering techniques to trick a target into copying PowerShell code and running it, leading to infostealers and remote monitoring and management (RMM) tools. The opportunistic attacks, she says, focus on the theory that humans are the weakest link in security. Lekshmi and podcast host Sherrod DeGrippo also discuss the nature of the crimeware ecosystem, and how threats such as ransomware consist of different types of interconnected groups that focus on certain types of malicious activities. Listen to the full episode here: https://msft.it/6040meDc8

We’ve made significant progress in fostering a security-first culture, and now, we’re sharing key updates and milestones from the first Secure Future Initiative (SFI) Progress Report. Learn more:

Great to see DOJ and FBI taking action against Flax Typhoon today! Proud of the MSTIC and DCU teams roles contributing to the threat intelligence and attribution of Flax Typhoon. From the DOJ Press Release: The FBI assesses that Integrity Technology Group, in addition to developing and controlling the botnet, is responsible for computer intrusion activities attributed to China-based hackers known by the private sector as “Flax Typhoon.” Microsoft Threat Intelligence described Flax Typhoon as nation-state actors based out of China, active since 2021, who have targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan, and elsewhere. The FBI’s investigation has corroborated Microsoft’s conclusions, finding that Flax Typhoon has successfully attacked multiple U.S. and foreign corporations, universities, government agencies, telecommunications providers, and media organizations. https://lnkd.in/gvaQ65fk

Microsoft observed the financially motivated threat actor tracked as Vanilla Tempest using INC ransomware for the first time to target the healthcare sector in the United States. Vanilla Tempest receives hand-offs from Gootloader infections before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool. The threat actor then performs lateral movement through Remote Desktop Protocol (RDP) and ultimately used the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload. Microsoft tracks activity related to Gootloader as Storm-0494. Vanilla Tempest, which overlaps with activity tracked by other researchers as Vice Society, has been active since July 2022 and commonly targets the education, healthcare, IT, and manufacturing sectors in attacks involving various ransomware payloads such as BlackCat, Quantum Locker, Zeppelin, and Rhysida. The threat actor uses custom PowerShell scripts, commodity tools, exploits for disclosed vulnerabilities, and native Windows binaries to gather privileged credentials, move laterally, collect and exfiltrate data, and deploy ransomware. Microsoft Defender for Endpoint detects multiple stages of Vanilla Tempest activity and Microsoft Defender Antivirus provides detections for the known INC ransomware and other malware identified in this campaign. For more information and guidance on defending against ransomware, visit https://msft.it/6043mVU9x.

Today, the latest Microsoft Threat Analysis Center (MTAC) report is sharing intelligence about Russian influence activity targeting the US 2024 presidential election. In the past few months, MTAC has observed a shift in the tactics for reaching US audiences, including a shift by Russian influence actors Storm-1516, Storm-1679, and Ruza Flood. Starting in late August and early September, Storm-1516 and Storm-1679 began producing and disseminating inauthentic videos meant to discredit Vice President Harris and Governor Walz. Ruza Flood also continues to stoke social rifts to produce anti-Ukraine sentiments. In the days following the US government’s seizures of Ruza Flood’s web domains, we observed this actor moving media outlets from seized domains to new ones where content can again be readily available. MTAC tracks several prominent Russia-affiliated cyber proxies and hacktivist groups for their ability to drive new cycles and disrupt public-facing election infrastructure, including SoIntsepek, Zarya, and Cyber Army of Russia. Some Russian cyber proxies, like RaHDit, display an overlap with activity by Russian intelligence actors. Russia-affiliated influence actor Volga Flood (formerly Storm-1841) at times then amplifies materials from RaHDit and other cyber proxies, enabling a method for potentially laundering compromising information garnered from hack-and-leak operations while maintaining a veil of plausible deniability for the Kremlin. Volga Flood is also among the leading Russian actors leveraging AI to scale its operations. Learn more about these campaigns from the fourth election report from MTAC: https://msft.it/6044mpiQo

To help defenders get better access to relevant threat intelligence articles, the Microsoft Defender XDR portal home page now displays featured Microsoft Defender Threat Intelligence (MDTI) articles to highlight noteworthy Microsoft content. The Intel explorer page now also has an article digest that notifies users of new MDTI articles that were published since they last accessed the portal. These capabilities will help users stay up to speed with the latest analysis of threat activity observed by Microsoft. MDTI articles provide insight into threat actors, tooling, attacks, and vulnerabilities, and link to actionable content and key indicators of compromise (IOCs) to help users in intelligence gathering, triage, incident response, and hunting efforts. Learn more about MDTI articles from our documentation: https://msft.it/6040mPaZM https://msft.it/6041mPaZ3

Microsoft has observed threat actors in North Korea diversifying their attacks that aim to gather intelligence and generate revenue in support of the North Korean regime. Onyx Sleet has been observed to now support both intelligence gathering and revenue generation for North Korea, conducting cyber espionage through numerous campaigns and more recently deploying ransomware in their attacks. Unlike other North Korean threat actors, Onyx Sleet uses a combination of custom and off-the-shelf tools in their attacks. The threat actor is also closely affiliated with Storm-0530, a group that calls itself H0lyGh0st, and is known to launch ransomware attacks against a wide range of targets. Another North Korean threat actor Microsoft tracks as Citrine Sleet is observed to particularly focus on cryptocurrency theft for financial gain. While the actor has been commonly observed to use its own malware known as AppleJeus, which aims to steal their targets’ cryptocurrency assets, Microsoft recently identified Citrine Sleet exploiting a zero-day vulnerability in Chromium to gain remote code execution and launch the sophisticated rootkit FudModule. In this episode of the Microsoft Threat Intelligence podcast, Microsoft Threat Intelligence researchers share their findings in tracking Onyx Sleet and Citrine Sleet, as well as their insights on the potential driving forces behind the changes in observed tactics. Listen to the full episode here, hosted by Sherrod DeGrippo: https://msft.it/6049mOdB3 Learn more about Onyx Sleet and Citrine Sleet from our blog posts: https://msft.it/6040mOdBO https://msft.it/6041mOdBP