Researchers with cybersecurity firm Sophos are warning security teams and MSSPs about two ransomware groups linked to Russian cybercriminals abusing Microsoft’s Office 365 platform and remote management tools to access corporate networks, steal information, and deliver malware.
The two separate extortion groups, tracked as STAC5143 and STAC5777, are flooding Outlook email inboxes with huge volumes of spam and then contacting targeted employees via Microsoft Teams from their own Office 365 service tenants and posing as the organization’s tech support to gain control of their systems, the Sophos X-Ops team wrote in a report Tuesday.
Many businesses use MSPs and MSSPs for their IT support needs, so an employee who is seeing large amounts of spam coming into their email inbox wouldn’t be surprised getting a Teams call or message from an unknown person appearing to be help desk worker, according to Sean Gallagher, principal threat researcher at Sophos.
“While exploitation of remote management tools and abuse of legitimate services are themselves not wholly new, we are seeing more and more threat groups adopt these tactics to target companies of all sizes,” Gallagher said.
Use of MDR on the Rise
A combination of the increasing number and complexity of cyberattacks, the continued adoption of cloud computing, and the rapidly expanding Internet of Things (IoT) is fueling growing in the managed detection and response (MDR) space, according to analysts with Fortune Business Insights. The market research firm is expecting the global MDR market to grow from $2.31 billion this year to $8.34 billion by 2032.
Both STAC5143 and STAC5777 are aggressively running these campaigns, according to the Sophos researchers, who began investigating incidents in November and December and have uncovered more than 15 incidents.
Overlap with Russian Groups
They wrote that STAC5777 has overlaps with Storm-1811, a Russian group that had been identified by Microsoft and also abused Microsoft’s Quick Assist remote management tool in social engineering attacks that delivered the Black Basta ransomware. Meanwhile, STAC5143 appears to be copying Storm-1811’s gameplan and may have connections to the high-profile Russian FIN7 advanced persistent threat (APT) group, which also is known as Sangria Tempest and Carbon Spider, according to Sophos.
In the attacks Sophos uncovered, both groups use some common tactics, including sending as many as 3,000 spam messages in less than an hour to targeted Outlook inboxes of a few people within a company. They also send the Team messages or calls to the targeted employees and use Quick Assist or Teams screen sharing to take control of the victim’s computer and install malware.
“Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users,” the researchers wrote.
Different Paths, Same Goal
From there, STAC5143 uses Teams’ built-in remote-control capabilities, a Java Archive and Java runtime to automate the exploitation of the victim’s computer, and a Java Archive to extract Python-based backdoors from a .zip file downloaded from a remote SharePoint link. The group also uses tactics and tools connected to FIN7.
For its part, STAC5777 uses Quick Assist, walks victims through the steps to install the remote management tool, and deploys malware and a legitimate Microsoft updater with a malicious side-loading DLL that establishes persistence, steals credentials, and enables the bad actors to discover network resources.
The group also uses Remote Desktop Protocol (RDP) and Windows Remote Management to access other computers on the network. Its actions overlap with Storm-1811.
A High-Alert Warning
“As Sophos continues to see new MDR and IR [incident response] cases associated with these tactics, we want companies using Microsoft 0365 to be on high alert,” Sophos’ Gallagher said. “They should check company-wide configurations, block outside account messages if possible, and block remote access tools and remote machine management tools not regularly used by their organizations.”
In addition, the Sophos researchers wrote that companies should integrate Office 365 with their security environment to monitoring sources of possibly malicious traffic into Teams or Outlook.
“Organizations should also raise employee awareness of these types of tactics,” they wrote. “These aren’t the types of things that are usually covered in anti-phishing training. Employees should be aware of who their actual technical support team is and be mindful of tactics intended to create a sense of urgency that these sorts of social-engineering driven attacks depend upon.”
