Links

https://www.bleepingcomputer.com/news/security/russian-hackers-stole-microsoft-corporate-emails-in-month-long-breach/

https://www.npr.org/2024/01/20/1225835736/microsoft-russian-hackers-accessed-senior-leaders-emails

https://www.bleepingcomputer.com/news/security/vmware-confirms-critical-vcenter-flaw-now-exploited-in-attacks/

https://www.huntress.com/blog/ransomware-deployment-attempts-via-teamviewer

https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta866-returns-large-email-campaign

https://thehackernews.com/2024/01/invoice-phishing-alert-ta866-deploys.html

Russian hackers stole Microsoft corporate emails

• Microsoft
  • some of its corporate email accounts were breached
  • data was compromised.
  • Detected on January 12^th
    • Happened in November
  • Password spay
    • No MFA?
  • Test Account compromised
    • Pivoted to other accounts
    • No indication on how
    • Microsoft’s leadership team accessed
      • And legal and cyber security
  • Data
    • Looks like initially after information about them
• Midnight Blizzard
  • AKA Nobelium, APT29, and Cozy Bear
  • Russian state-sponsored group
    • Might be part of Russia’s Foreign Intelligence Service (SVR)
  • Previously: SolarWinds attack, Microsoft Account breach (2021)

Critical vCenter flaw now exploited in attacks

• VMware
  • critical vCenter Server vulnerability
  • Patched in October
    • Actively exploited.
• CVE-2023-34048
  • out-of-bounds write.
  • low-complexity attacks
    • don’t require authentication or user interaction.
  • Needs patch
    • no workaround
    • can’t patch, limit access.
      • 2012/tcp, 2014/tcp, and 2020/tcp.
• Valuable
  • Network access brokers
    • Sell on darkweb for easy access
      • Big groups like this
      • Royal, Black Basta, LockBit, RTM Locker, Qilin, ESXiArgs, Monti, and Akira to name a few.
  • Shodan
    • 2,000 VMware exposed online
• Patching
  • VMware released fixed for end of life systems

TeamViewer abused to breach networks

• TeamViewer
  • a legitimate remote access tool
  • valued for its simplicity and capabilities.
• Huntress
  • CyberSecurity company
  • analyzed log files (connections_incoming.txt)
    • connections from same host
    • saw multiple employees logging in (actively used)
• Attack
  • deploy the ransomware payload using a DOS batch file (PP.bat)
    • on the desktop
    • executed a DLL file (payload) via a rundll32.exe
      • LB_Rundll32_pass.dll
  • does not use the standard LockBit 3.0 ransomware note
    • another ransomware gang using the leaked builder.
• TeamViewer Response
  • “Our analysis shows that most instances of unauthorized access involve a weakening of TeamViewer’s default security settings”
  • “use of easily guessable passwords which is only possible by using an outdated version of our product.”
  •  

TA866 Returns with a Large Email Campaign

• January 11, 2024
  • Proofpoint identified a malicious email campaign
• Attack
  • Invoice-themed emails
  • attached PDFs
    • “Document_[10 digits].pdf”
    • contained OneDrive URLs
      • lead to malware
  • various subjects
    • “Project achievements”.
  • Chain
    • Served a JavaScript file hosted on OneDrive.
    • The JavaScript, if run by the user, downloaded and ran an MSI file. 
    • The MSI file executed an embedded WasabiSeed VBS script.
    • The WasabiSeed VBS script then downloaded and executed a second MSI file as well as continued polling for additional payloads in a loop. The additional payloads are currently unknown. 
    • Finally, the second MSI file contained components of the Screenshotter screenshot utility which took a screenshot of the desktop and sent it the C2.
• TA866
  • First seen in October 2022
  • Financially motovated
  • 9 month absence

WasabiSeed and Screenshotter