One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8607796 |
| Date de publication | 2024-11-07 22:07:45 (vue: 2024-11-07 23:07:20) |
| Titre | Démasking veildrive: les acteurs de la menace exploitent les services Microsoft pour C2 Unmasking VEILDrive: Threat Actors Exploit Microsoft Services for C2 |
| Texte | ## Snapshot Researchers at Hunters\' Team AXON identified an ongoing threat campaign named "VEILDrive," which leverages Microsoft\'s SaaS services for command and control (C2) operations. The campaign, believed to have Russian origins, began in early August 2024 and utilizes Microsoft Teams, SharePoint, Quick Assist, and OneDrive to conduct spear-phishing campaigns and store malware. ## Description The attackers gain initial access through spear-phishing messages sent via Microsoft Teams impersonating an IT team member and requesting remote access via [Quick Assist](https://learn.microsoft.com/windows/client-management/client-tools/quick-assist). Once granted access, the attacker downloads a malicious .zip file hosted on a SharePoint site containing [remote monitoring and management (RMM) tools](https://sip.security.microsoft.com/intel-explorer/articles/9782a9ef). The attackers utilized these tools for persistence, creating scheduled tasks to repeatedly execute malware. The associated malware, a Java-based .jar file named Cliento.jar, evades detection and establishes persistence through scheduled tasks and registry runkeys. It uses hard-coded credentials to authenticate and access OneDrive for C2 purposes, featuring two C2 channels: a traditional HTTPS Socket C2 communicating with an Azure VM and a unique OneDrive-based C2. This OneDrive C2 uses UUID files to distinguish victims and execute commands remotely, including file transfers and command execution. The malware also leverages Azure VMs and Azure AD App Registration for additional C2 capabilities. ## Microsoft Analysis and Additional OSINT Context Microsoft Threat Intelligence is closely tracking how adversaries are abusing Microsoft SaaS applications as part of sophisticated phishing attacks. For example, in April 2024, Microsoft observed that financially motivated group [Storm-1811](https://sip.security.microsoft.com/intel-profiles/0a78394b205d9b9d6cbcbd5f34053d7fc1912c3fa7418ffd0eabf1d00f677a2b) has [used Microsoft Teams to impersonate IT or help desk personnel](https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/), leveraging [social engineering](https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/what-is-social-engineering.) techniques to gain victim trust and initiate misuse of tools like Quick Assist for remote access. In this observed activity, the threat actors used remote monitoring and management (RMM) tools, including ScreenConnect and NetSupport Manager, to maintain persistence and enhance control over compromised systems. The attack chain also included credential theft using EvilProxy, execution of batch scripts, and the deployment of malware such as Qakbot and Cobalt Strike and culminated in ransomware attacks like [Black Basta](https://sip.security.microsoft.com/intel-profiles/0146164ed5ffa131074fa7e985f779597d2522865baa088f25cd80c3bed8d726). ## Recommendations Microsoft recommends the following best practices to protect users and organizations from attacks and threat actors that misuse Quick Assist: - Consider [blocking or uninstalling](https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization) Quick Assist and other remote monitoring and management tools if these tools are not in use in your environment. If your organization utilizes another remote support tool such as [Remote Help](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune-remote-help), block or remove Quick Assist as a best practice. Remote Help is part of the [Microsoft Intune Suite](https://learn.microsoft.com/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization) and provides authentication and security controls for helpdesk connections. - Educate users about protecting themselves from [tech support scams](https://support.microsoft.com/windows/protect-yourself-fro |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 101/what 1811 2024 2024** 2a8a 2ebf91bd 365 365/security/defender 365/security/defender/microsoft 392b4ffd0753 4808 92cc 95e8 abbreviatedmktgpage about about abusing access accessed accessing account across action activity actors additional advanced adversaries affected against age alert alerts all allow also analysis and/or another anti antivirus any anyone app applications apply apps april are assist assist#disable assist: associated as attachments attack attacker attackers attacks attempts august authenticate authentication authorities authorize automated axon azure based basta batch been began believed best black block blocking breaches business c2#new calls campaign campaigns can capabilities cautious center centralizing chain changes channels: chat claiming cliento closely cloud cobalt coded com/azure/active com/defender com/en com/intel com/microsoft com/microsoftteams/teams com/security/business/endpoint com/security/business/security com/windows/cfa4609a com/windows/client com/windows/protect command commands common communicating communication compromised conditional conduct conducting connect connecting connections consider contacting containing content context control controls copyright cover creating creations credentials criterion critical culminated customers cybercrime defender deleting delivered deployment description desk detection device devices directly directory/authentication/concept disconnect distinguish distribution domains don downloads e541 early economy educate email emails employees enable endpoint endpoint/attack endpoint/automated endpoint/enable endpoint/prevent engineering enhance entities environment equivalent establishes evades evilproxy evolving example executable execute execution exploit explorer/articles/9782a9ef external f5c800d18435 f94c featuring file files filtering financially following form from from full gain general gig granted group hacks/privacy hard hardening has have help helpdesk helper hosted how https https://learn https://sip https://support https://www huge human hunters identified identifying identities ignoring immediate immediately impact impersonate impersonating implement incident included credential including incoming industry infections information initial initiate initiated instant intelligence interaction internet intune invest investigation investigations issue jar java leading learndoc learndoc#block learndoc#use learning leverages leveraging life like links list local lure machine maintain majority malicious malware management management/client management/microsoft manager mdo media meet member members messages messaging microsoft microsoft misuse misusing mitigations mode monitor monitoring motivated named need netsupport network networks never new not obfuscated observed observed that ocid=magicti office once onedrive ongoing only on operated operations organization organizations originating origins osint other over overview part permission persistence person personal personnel phishing phone potentially practice practices prevalence prevent preventing process product profiles/0146164ed5ffa131074fa7e985f779597d2522865baa088f25cd80c3bed8d726 profiles/0a78394b205d9b9d6cbcbd5f34053d7fc1912c3fa7418ffd0eabf1d00f677a2b prohibited protect protecting protection protections provide provides psexec purposes qakbot quick ransomware ransomware/ rapidly recommendations recommends reconnaissance reduce reducing reduction refer reference references registration registry relevant remediation remote remotely remove repeatedly report reporting reproduction requesting requests require researchers reserved resistant resolve rights rmm rules runkeys running russian saas safeguard safer safety/what scam scammers scams scary scheduled screenconnect scripts security security/en/blog/veildrive sent service services session settings share sharepoint sign significantly site snapshot social socket solutions that sophisticated spear staff stopping store storm strength strengths strike such suite support surface suspect suspicious systems tab tactics t |
| Tags | Ransomware Malware Tool Threat Cloud Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.