One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8444739 |
| Date de publication | 2024-01-30 11:00:00 (vue: 2024-01-30 11:07:51) |
| Titre | Darkgate Malware livré via Microsoft Teams - Détection et réponse DarkGate malware delivered via Microsoft Teams - detection and response |
| Texte | Executive summary
While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. Most Teams activity is intra-organizational, but Microsoft enables External Access by default, which allows members of one organization to add users outside the organization to their Teams chats. Perhaps predictably, this feature has provided malicious actors a new avenue by which to exploit untrained or unaware users.
In a recent example, an AT&T Cybersecurity Managed Detection and Response (MDR) customer proactively reached out with concerns about a user who was external to their domain sending an unsolicited Teams chat to several internal members. The chat was suspected to be a phishing lure. The customer provided the username of the external user as well as the IDs of multiple users who were confirmed to have accepted the message.
With this information, the AT&T Cybersecurity MDR SOC team was able to identify the targeted users, as well as suspicious file downloads initiated by some of them. A review of the tactics and indicators of compromise (IOCs) utilized by the attacker showed them to be associated with DarkGate malware, and the MDR SOC team was able to head off the attack before any significant damage was done.
Investigation
Initial event review
Indicators of compromise
The customer provided the below screenshot (Image 1) of the message that was received by one of their users and which was suspected to be a phishing lure. An important detail to note here is the “.onmicrosoft.com” domain name. This domain, by all appearances, is authentic and most users would probably assume that it is legitimate. OSINT research on the domain also shows no reports for suspicious activity, leading the MDR SOC team to believe the username (and possibly the entire domain) was likely compromised by the attackers prior to being used to launch the phishing attack.
Image 1: Screenshot from customer of received message
Expanded investigation
Events search
Performing a search of the external username in the customer’s environment led the MDR team to over 1,000 “MessageSent” Teams events that were generated by the user. Although these events did not include the IDs of the recipients, they did include the external user’s tenant ID, as displayed in Image 2 below.
Image 2: Event log showing external user tenant ID
A Microsoft 365 tenant ID is a globally unique identifier assigned to an organization. It is what allows members of different companies to communicate with one another via Teams. As long as both members of a chat have valid tenant IDs, and External Access is enabled, they can exchange messages. With this in mind, the MDR SOC team was able to query events that contained the external user’s tenant ID and found multiple “MemberAdded” events, which are generated when a user joins a chat in Teams.
Image 3: “MemberAdded” event
These events include the victim’s user ID, but not the external user ID. In addition to the external tenant ID, the MDR SOC team was able to positively link these “MemberAdded” events back to the attacker via the “ChatThreadId” field, which was also present in the original “MessageSent&rdq |
| Envoyé | Oui |
| Condensat | “navigating 000 2023 365 able about absolutely accepted access according accounts acquainted activity actors add added addition additional advisable advised affected all allows also although alto always analysis another any appearances are assets assigned associated assume at&t attack attacker attackers attacks attempted attention authentic avenue back beacon been before begin being believe believes below beyond blocked blocklist blocklisted both business but can case changes channel chat chats clean closely com com” com/paloaltonetworks/unit42 coming command commonly communicate communication companies compromise compromised concerns confirmed consider constant contained continue continued control could customer customer’s cybersecurity daily damage dangers darkgate deep default delivered detail detection determine detonation did different disabling discovered displayed dive domain done double down download downloaded downloading downloads drill edr email enabled enables end endpoint entire environment event events everyone evolving example exchange executables executive expanded exploit extension external face feature field file filename files filesystem forms found from further future generally generated globally had has hashes have having head here hgfdytrywq hidden https://github identified identifier identify identifying ids image important include indicators infected information initial initiate initiated installer instead intel/blob/main/2023 internal intra investigation iocs isolated isolation joins known large later launch leading led legitimate likely link list listed log long lure malicious malware managed many mdr media members message messages microsoft mind monitored more most msi msi” multiple name nature necessary need networks new not note october off one onmicrosoft onto organization organizational organizations original osint other out outside over palo passed password paths pay pdf performing perhaps phenomenon phished phishing positively possibly potentially precise predictably present prior proactively probably proportion provide provided provider query reached received receives recent recipients recommendations relatively remediation reminded reminder reports research resets response review reviewing rolled same sandbox screenshot search second secure sending several should showed showing shows significant similar soc solution some state subsequently such summary suspected suspicious tactic tactics take targeted team teams tenant them then these those threat threats three timely titled traditional trained training trick turn txt typical unaware unique unless unsolicited untrained upon use used user user’s username users usually utilized valid vector very victim’s vigilance well what when where which who will would |
| Tags | Malware Threat Technical |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.