State of Cybercrime

Storm-0558

Episode Summary

A Microsoft zero-day vulnerability has allowed hacking group Storm-0558 to forge Azure AD authentication tokens, and breach organizations — including U.S. government agencies — in the past week. Watch this State of Cybercrime episode to hear our experts break down how this attack happened, see the discoveries made by the Varonis Threat Labs team, and learn what you can do to make sure your data is safe and secure.

Episode Transcription

[00:00:00]

Matt Radolec: Hello everybody and welcome to another episode of State of Cybercrime.

David Gibson: How's it going, Matt? Hey, Dvir. 

Matt Radolec: Yeah, I'm doing outstanding. Where's everybody talking to us and viewing us from today? I'm at home in, in Maryland. What about you, David?

David Gibson: I am at home in connecticut. 

Matt Radolec: And Dvir? 

Dvir Sason: I'm from Telaviv in Israel. 

Matt Radolec: Awesome. Awesome. I hope some of our audience members chime in and let us know where they're watching the show from today. We got some Kentucky, some Kansas City, some North Carolina. We got somebody from Liverpool. [00:01:00] Shout out to our friends across the pond.

Got another Marylander. We're excited. There's some things that have been catching the world by Storm, all the pun intended ,that we're definitely gonna cover on the show today. And, let's crack right into it. 

So we're gonna go through our usual segments. We'll start with Is There Any Good News, we'll jump on the highway to The Danger Zone, we'll talk about a handful of Vulnerable Vulnerabilities, and like always at the end, we'll save time for Q&A, to interact with you, our audience, after all the show is made possible by you. We really appreciate your attendance today and all your engagement.

So let's get started with, Is There Any Good News?

David Gibson: Is there any good news Matt?

Matt Radolec: There always is some good news, in cybersecurity, everybody likes to talk about doom and gloom and this meek outlook that we have for the world. But there's always something good to say, whether it's another hacking forum getting busted, which maybe I'm hinting at our next segment or, some ransomware or cyber criminal getting taken down, that's what we've got to talk about here. 

In fact [00:02:00] Operator, A.K.A, and Dvir, make sure I'm pronouncing all these threat actor group names right, NX$M$, Desktop Group or Common Raven is believed to have stolen somewhere in the neighborhood of 20 to 30 million over the last four years and phishing business email compromise atyle attacks on financial institutions and mobile banking apps across Africa, Asia, and Latin America. Their main MO was infiltrating networks in order to siphon money out of the ATM networks that were operated by and connected to the institution. The arrest of this actor was made in Cote D'Ivoire during a joint operation between Interpol, Orange, the US Secret Service, and Booz Allen Hamilton's Dark Labs calling it Operation Nerve One. This one is another win for the good guys. 

David Gibson: Yeah, I think that arrest was made, o biblio tech as well. But, I thought it was interesting, the Operator group their mo was to stay in organizations for quite some time, probably a month to three months or [00:03:00] so, and they would target the same company over and over again. Mostly financial crime, if I have that right. 

Matt Radolec: Yeah. Yeah. Going after I think the ATM specifically, right? Like when an ATM makes a call to, take a ACH from another bank account and try to siphon money, out of that process with some success.

20 to 30 million over four years. What's that? Somewhere in the neighborhood of three to 5 million a year. 

David Gibson: Yep. Glad to see them out of the way. 

Matt Radolec: Yeah, glad to see at least one actor taken down now. Now, David, you always like telling us about another hacker forum that has something that has happened.

So tell us what's happening with BreachForums 

David Gibson: Mr. Fitzpatrick, who was from Peekskill, New York not too far, has pleaded guilty to the charges of hacking and child pornography possession. So he apparently has been, as a few articles described, at a thorn in the FBI's side for a few years.

He actually exploited a weakness in one of their email gateways at one point. I guess it's nice to have another bad actor out of the way. 

Dvir, I don't know if there's any more that you can [00:04:00] share about any of that activity and how bad BreachForums was as a marketplace.

Dvir Sason: Yeah, so it's funny that you mention it because last time that in our last episode we talked about BreachForum and of course, all the other forums and marketplaces that threat actors and skiddies used to work with. 

Pompompurin, as a threat actor I'm quite happy personally that he's out of the way and that the FBI was able to actually press charges against him.

He's quite infamous for his activities and of course, in Breachforums, and yeah. 

Matt Radolec: And that's not the only good news. I think something that just dropped, David, only what a few minutes ago that we just put into the show has to deal with Microsoft expanding access to logs. Free the logs, right?

So over the coming months, it looks like most or more licensed tiers from Microsoft will have access to additional security logs, like the ones that might have been needed to determine if you were impacted by Storm. 

David Gibson: Yeah, and we'll talk about Storm in a second, but that's [00:05:00] prompting Microsoft to make some of the forensics and some of the investigations a little bit easier for folks that don't have some of the higher cost licensing as well, which it's nice to see the freeing of the logs as you put it there, Matt.

Matt Radolec: I know everybody is eager to jump on the highway to the Danger Zone and see what's catching the world by Storm. I just love saying it. 

David, Dvir, what's going on with this Storm-05 58 thing, other than Microsoft's allowing you to get some more logs?

David Gibson: Yeah, it sounds like there was a pretty scary vulnerability with some token signing that allowed a pretty scary actor to get access to some pretty scary information on a lot of folks emails. 

Dvir, what can you tell us about that? 

Dvir Sason: So it goes like this.

Every vendor has their own designation for, it could be an animal , which specific ADR vendor, and it could be, as related to any other nickname Storm related in Microsoft. And that was a new change that Microsoft presented few weeks [00:06:00] ago. Which regards to Storm-0558, I guess everybody's familiar with the name APT 31, is that right? Have you, you all heard about -

Matt Radolec: I've certainly heard of that one before. Yeah, Dvir. 

Dvir Sason: Yeah. So APT 31 is a Chinese threat group operating as a espionage type of threat group from China. That its main goals and activities are to gain intelligence from any sort of email accounts with all sorts of the same old methodologies such as phishing campaigns and whatnot. The fact is that Storm-0558 is a bit different from APT 31 is due to the methodologies introduced in this campaign that Microsoft has observed that allowed, unbeknown to Microsoft, this threat group to gain access to organizations throughout the world, 25 organizations in that specific number and to individual mail accounts in order to gain access to [00:07:00] full email conversations, attachments and WhatsApp. 

The way that they've done so is by using this magical key as we call it. It's called MSA, MSA stands for Microsoft Account Signing. 

That is unclear how they got it, but they were able to communicate with certain endpoints, which we're gonna click on for the next slide.

Matt Radolec: Yeah, I got you. 

Dvir Sason: Thank you. 

So they were able to use a very unique and never seen before dormant key in order to communicate with certain endpoints. For OWA, which is Exchange on-prem, outlook.com for everything related to individual mail accounts, and Exchange Online for any other email accounts in organizations.

And by using this specific magical key, MSA key, they were able to generate their own, server sign tokens in order to communicate with endpoints and to say, Hey, we're authenticated. We are the account holders. Let us in. 

And in that sense, they were [00:08:00] able to use two specific scripts in Python and PowerShell in order to download and exfiltrate data from these specific accounts.

From what we were able to understand, the targeted populations are still the same geopolitical disputed areas such as Taiwan, Tibet, and everything related to the Uyghurs when it comes to individuals and when it comes to the 25 organizations, some speculate that it's related to US government or any other US European type of organizations throughout the world.

In order to gain this sort of intelligence as part of their espionage contains from their emails . 

Now- 

Matt Radolec: Dvir if I could just ask you really quick 

Dvir Sason: Sure. 

Matt Radolec: You're talking about how they got the ability to create legitimate tokens where they got the ability to create a legitimate token and or maybe an illegitimate token, but due to this vulnerability that illegitimate token was accepted as valid. Am I getting that right? 

Dvir Sason: That's correct. When we [00:09:00] attempt to use these endpoints, we use specific generated tokens by our authentication service. We present credentials and we're allowed in. They were coming with specific higher privileged dormant keys that were not potentially seen before.

And even were not even allowed to be used in that sense, which triggered a lot of bells and whistles for Microsoft sites by the detections. They were not supposed to be used in that sense. 

So we're talking about two, two main issues over here. Again, they used unknown source keys that were dormant, and these keys were not replicated and invalidated in that sense.

So that's the first vulnerability that they were using. And the second one that is that they were continually renewing the tickets and sorry, the tokens in that sense. By communicating with these endpoints, they were able to continue and maintain foothold and continue to generate tokens.

So there are two vulnerabilities mentioned over here, by the threat actors. But I think the [00:10:00] main pain point in that sense is that these keys were not maintained enough. And again, by using keys, dormant keys that were not supposed to be used they were able to do this hack. 

We can understand from everything going on that they had bigger plans in mind and they were stopped right after they hit these 25 organizations and personal accounts. 

And the moment that Microsoft found out about it, they completely blocked and invalidated the keys and completely blocked them out which made them very angry because again, they had bigger plans. 

It's unknown what's going on in that sense. What are the different methodologies that they will divert to and use in that sense. But again, based on their methodologies in the past, they will stick to emails, mainly email compromise, phishing campaigns and whatnot.

Matt Radolec: So quite the sophisticated vector to go after data, right? Ultimately this is to go after Exchange data and I'm sure like in the past with this APT group to move [00:11:00] and gain access to additional systems and additional credentials and maintain persistence. But what a novel way to get to data and I guess, tying to the Good News, and one that if you needed at the time at least some pretty sophisticated logging from Microsoft to be able to pick up on.

David Gibson: Yeah, I think it's both good that sophisticated logging is gonna be more available to folks. It's also good that this vector was blown, right? Because who knows how long that could have gone on. Who knows how long it, it did go on. If I'm understanding correctly, it's not like this is an MFA, this takes place after an MFA bypass stuff, right?

Once you have the token, you're in. 

Matt Radolec: Yeah. 

David Gibson: And there's no sign as an end user, as somebody of the email other than, did I read that email? Why is it marked as unread? There's no way you'd really notice, right? 

Dvir Sason: True. 

Matt Radolec: Yeah. We always like to say that these cookies go straight to your SaaS.

This is another one of those scenarios, Dvir? 

Dvir Sason: Exactly. So someone said as another metaphor, it's like stealing a passport making machine, you just continue making more passports. 

They were able to just communicate with these [00:12:00] endpoints without the need for MFA, without any sort of need, and during enter credentials.

Matt Radolec: And is it okay with you guys if we MOVEit to the next thing in the Danger Zone?

David Gibson: I see what you did there. 

Dvir Sason: Likewise.

Matt Radolec: I know that this vulnerability, and this tech know MOVEit, it's really made the rounds. It's caused a lot of pain for organizations. But I still can't get the song outta my head, so let's MOVEit to our updated section on MOVEit.

And David, it's been what, like a, maybe a month or six weeks now since the World has known about and had mitigations available for MOVEit. Am I getting that right? 

David Gibson: Yeah, it's been a while. I hope everybody here has already patched it if they use it, but, apparently not everyone has right. 

Matt Radolec: Yeah, and it seems every week, even we at Varonis we're called on by organizations in order to help them investigate this.

Since our last update on our last episode, at least nine more victims have been added to their dark web log. And the total number of impacted organizations is well over 200, including notables like CompuCom, Vitesco, [00:13:00] Sierra Wireless. 

And I just wanna really, I wanna reiterate what David says and what we often say, when you think about these supply chain style or Russian doll style attacks, like the one on the MOVEit file transfer service, executed in this case by Cl0p ransomware group, where they're going after to try to steal data from both the businesses that use it and the people who they consume MOVEit, they're clients that they actually transfer files between, if it's not abundantly clear to you that you should like patch actively exploited vulnerabilities on file transfer applications in your DMZ, David and I are here to remind you that you should patch actively exploited vulnerabilities on all of your servers, but definitely on the ones accessible by the internet.

David or Dvir, any other tips here? 

David Gibson: And those that contain sensitive data belonging to both you and customers, right? This is a one-stop shop attack. You get access to this vulnerability, you don't need to do much lateral movement. You don't need to penetrate [00:14:00] further the data's there. 

Matt Radolec: And usually the data you're sharing with your clients are going back, it's probably the good stuff, right? It's not the outdated forms that sit on the servers in the stale sections. It's like the actively collaborated data. 

David Gibson: It's a high value target. 

Dvir Sason: That's correct. Yeah. So again, this attack is heavily automated and threat actors are able to gain tons of information from it.

Matt Radolec: Yeah. Now, that this is not the only thing that we have to talk about though. There's a few more vulnerable vulnerabilities that we want to talk to our audience about. 

First and foremost, the Truebot team has struck again, this time targeting a security layer. This Netwrix Auditor, the CISA, FBI, and other sources of cyber truth have issued a joint advisory highlighting the urgency of patching this remote code execution flaw in Netwrix's software.

The vulnerability CVE-2022-31199 what'll actually ultimately allow for total Active Directory compromise following the initial remote code or RCE exploitation of that [00:15:00] vulnerability in the network software. Attackers, they're gonna leverage this to break into organizations and actual trade data. 

and I'm constantly reminded by things like this that the means are always changing, but the end is the same. In each one of these Attacks that the attackers are going after data. Even if we go back to the financial crime one, at the beginning it was data on the ATM network to then subsequently commit financial fraud.

It was this information that unlocked the power for the attackers. 

The other thing that I thought was really interesting about this was similar to MOVEit, this is a object de serialization vulnerability. And so it seems like this is really making the waves. 

And Dvir any thoughts on if actors, once they started to see object de serialization become a thing, they're just going out and testing everything they can for those kinds of vulnerabilities?

Dvir Sason: Object de-serialization is not an easy method to attempt. You need to understand exactly what's the type of pay load that you are able to inject and that will be passed. Of course we've seen it with MOVEit and also according to David's question from earlier, also [00:16:00] in Log4j.

So once there is a vector, it is possible to use, de serialization. But again, there are plenty of tools that allow pen testers and of course threat actors and bad guys to attempt and create these payloads. And it is what it is. We will see once an application is vulnerable to de serialization, it's possible to generate this sort of payloads.

Matt Radolec: And as always best practice is apply patches, limit the use of RDP. Yeah. Limit the use of RDP, audit the systems where you have to use RDP, leverage multifactor authentications, things like monitoring of your critical resources and your, David I know you're probably just about to add something there.

David Gibson: Yeah, just also prioritizing the stuff that's running on your domain controller as a high privileged account. Obviously that's a pretty big vulnerability there. Running on your domain controller with high privileges, it's yeah. Or even just vulnerability away to your whole domain gone.

Matt Radolec: Yes. Sitting in memory on your DC is about as good. Yeah. I mean, Is there a more juicy target for lateral movement than [00:17:00] being able to get a memory on a domain controller? 

Dvir Sason: So of course, file servers and everything related to where the agent of the AD sync service is located.

So again, organization compromised is like the holy grail of every attacker there is, but it's not just that. It's to maintain persistency. And to have this secret back door that, that they will be able to gain access to. So again, this is file server, AD service accounts where they reside with the agent, and this is what it is.

Matt Radolec: Now, we know, everybody likes to debate about this sort of dangers of AI. We even did a webinar on that hosted by Varonis Security architect Tom over in the UK. But there's some something's going on in the AI world. 

David, you wanna talk to us about WormGPT? 

David Gibson: Yeah, I think it's our fears of AI are starting to be realized. It seems like ChatGPT and Bard are putting in some protections so that you can't use those [00:18:00]kind of AI superpowers for evil. Although people are having some jailbreaks and finding some ways around those.

But this is kind of a black hat AI, right? You can use this to generate malware and worms. And there's no guardrails, no protections. This is the evil super villain it looks like to ChatGPT and I think it may make the game of malware creation and phishing email creation that much easier.

Matt Radolec: Yeah, and they didn't like program into ChatGPT to put some spelling errors into those phishing emails, which might have been a good use of security knowhow. 

Now just before we cover a few more vulnerabilities, there there's two I think, really good questions that have came in and Dvir, I want to throw one at you, which is, can you elaborate a bit on what a domain controller elevated account means?

I think some of our audience members might not be as deep in AD as the host. 

Dvir Sason: Cool. So again, this is as is the holy grail and almost every service that runs on the [00:19:00]DC is running either as a service or as a local admin or as a domain admin. But an elevated account is the potential higher privileged account that threat actors are looking to pivot on to try and jump from the low privilege account to their higher privilege account. And that could be either by jumping between processes or using any sort of local privilege escalation exploits to gain their upper hands and to gain higher privileges.

Matt Radolec: And that's if the service wasn't running already as an administrator, which, some organizations don't put these privileged accounts to run their security stack.

Dvir Sason: Exactly. So potentially if I'm a domain admin and I'm running all sorts of services interactively on my account, and I just click on close on the RDP instead of disconnect, potentially someone is able, once they have access to that machine, are able to jump and steal the token of that elevated account because that process is still there.

And to jump and hijack it, to get gain high privileges. 

Matt Radolec: And our follow a follow up question and thanks Justin for [00:20:00] that, what should we do to protect against that? 

Dvir Sason: Service accounts? Absolutely. Making sure that you disconnect, also disconnect how RDPs, never run anything as a privileged user and account. Maintain detections and logging and check exactly who's doing what. Of course, everything related to EDR and agents to maintain activities of suspicious processes or any sort of memory hydro attacks, either process hollowing or any sort of hellgate attack. And it's risk keeps ongoing at the end you need 

Matt Radolec: and I would just say, yeah, even supplement these exploit type detections with abnormal behavior type detections to 

Dvir Sason: That's correct.

Matt Radolec: Identify the downstream actions. The list goes on and on, but just to start with the simplest, the first thing you said, and I think the most practical for people to take even near immediate steps on if you're running that service as an admin, switch it to a service account, make sure it's not used anywhere else.

If that service account is an admin, lower its privileges, maybe you only [00:21:00] need to have administrator credentials to install it, and you don't actually need administrative privileges to run the service after it's installed. These are things that you should look through when, whenever you're putting anything on your domain control, really any server.

But I know everybody's usually stretched for time. So at the bare minimum, take this high level of scrutiny on your domain controllers.

And David, I'm sure you want to have something to add here, which is, go ahead, David. Sorry. 

David Gibson: Yeah. Just one other thing.

If you're running this service, it is exploited, as far as I understand it, you have to connect to TCP port 9004 in order to run the exploit and blocking traffic to your domain controller that you don't expect, right? You can do some segmentation there to at least protect against some of this stuff.

Probably not a terrible idea. 

Matt Radolec: Yeah. And another question came in from Craig, just really quick guys, when we say the Microsoft compromised emails were red or access would really have been marked as red so that an end user could question it? 

This is a great question. So what we've seen on this is, sometimes the attackers are [00:22:00] syncing the mailbox and then obviously looking through the messages either on a device that doesn't have that sync back or is not.

However, we didn't get to investigate every single one of those so hard to know if they ever triggered a read event or not Dvir unless you've got more data on that. 

Dvir Sason: As you just mentioned, sometimes they're able to sync it, sometimes they're able to create that API call that flags that message as read sometimes they just attempt to hide it and check it as unread, but it still, the API calls are still there.

Matt Radolec: Or even authorize an app using that token that doesn't change the status of the message. Like some sort of Azure connected application, right? 

Dvir Sason: So it really depends on demo of that app. 

David Gibson: With Storm, I think that it's pretty unlikely that they would do anything that an end user would notice.

If they hadn't synced and read a message and forget to mark it as unread, but they'd have to be getting pretty sloppy in order to do that. I don't think that's a high likelihood at all. Most probably the end user would see nothing.[00:23:00]

Matt Radolec: Now I didn't want to forget, Dvir, you wanted us to mention a few more, vulnerabilities before we wrapped it out here. 

Dvir Sason: I guess a lot of different organizations use Fortinet and SonicWall. But Fortinet for the last year had new vulnerabilities and new body teams guarding all sorts of nasty potential attacks, ranging from LC, from SSL VPNs, creating new admin accounts on the appliance itself completely taken over on the firewall and the release keeps on going.

In that sense, you need to make sure that all of your appliances always obligated to the latest, specifically with formula. It's not because obviously they're not sloppy, it's because they're targeted, they're continuously targeted in that sense of exposed vulnerabilities in the software.

When it comes to SonicWall, CISA advised several times to throughout the year that SonicWall again could be attacked using all sorts of exploits. And I think the main thing that you [00:24:00] remember right now about these two vendors and appliances is that there are vulnerabilities, but it's not necessarily means that there are experts available specifically in the Fortinet case.

There are no POCs as of now for the latest vulnerability that came out. But what if advice is always to keep it updated at all times? If it means downtime, then of course it needs to be planned out, but this is what it is. 

Matt Radolec: And let's check on, let's see if we've got anything else that's coming inside of the Q&A here.

And we'll give that just another couple minutes. And while we do, first I wanted to thank David, our co-host and Dvir, who I guess we're gonna co-host now, you've been on the show three times, so hopefully you'll join us again. And then obviously our audience, right, show is made possible by you.

David Gibson: You did have somebody want to hear a little bit about JumpCloud. Should we talk a little bit about that?

Matt Radolec: don't mind sticking around and talking a little bit about JumpCloud. I just messaged, our CMO Rob about that just yesterday.

So this is a IT service provider hit by what they're saying is an APT actor. I don't think they've [00:25:00] named the APT actor, but they operate different, which you know, is this posturing? Is it the real thing? It's hard to say. 

They provide I think web hosting services. Am I getting that Dvir, like the backend servers for web hosting services. 

Dvir Sason: It's more about, for example, asset management for macOS devices and whatnot. It's another mean to maintain control on these sort of machines. And of course someone mentioned authentication brokering.

Matt Radolec: Maybe we're gonna have to have even have another episode on this. It sounds like if there's, if there's enough to talk about. Go ahead, Dvir. 

Dvir Sason: True. So they released a very generic statement that they were able to take the necessary steps in order to maintain that attack and they switched around all of the keys and tokens.

And they rebuilt the infrastructure from scratch. So it's quite interesting to understand exactly based on their activities and based on this generic testament of what they've done, what was the impact. And since they didn't release any sort of, they did release IOCs, but they didn't release any specific information about that attack itself, I guess time will tell. 

David Gibson: They did it, it does look [00:26:00] like they rotated credentials. It looked like there was some spear phishing, and if I'm reading it correctly, it looked like if they got some of those credentials, they'd be able to connect into the infrastructure that they help to facilitate.

It's a little bit like a supply chain attack in that way. 

Matt Radolec: I was gonna say, if they're an authentication broker, this is like a mixture between MOVEit and Storm. Yeah. In the sense that maybe they're, forging keys. Cause they didn't make a statement about whether or not customers were impacted, right?

Dvir Sason: That's correct. So they did release the IOCs. So that's making me feel like a bit, to be honest, a bit nervous about it, but it means that customers should look for these IOCs. They don't know exactly. But since the attack started on June 22nd as a spearfishing and all the way stretched to that injection on July 5th, some speculate that they do mention customer network through the JumpCloud agent.

Therefore, it's an absolute supply chain attack. And as you guys mentioned, and it does feel like something is [00:27:00] still going on and they still in the cleanup process to make sure that that goes are out of the network and to understand exactly the impact. 

David Gibson: Sounds like that they're asking people to look for traffic to nomadpackage. Com and nomadpackages.com with a couple of variations there. Which is, I guess, where they have their orchestrator code, or where you can download malicious orchestrator code. Isn't that what that would be? 

Dvir Sason: Correct. 

Matt Radolec: Or the malicious package that potentially got compiled and delivered through the supply chain. Yeah, go ahead. 

Dvir Sason: Exactly. Exactly. So potentially once threat actors are inside and control their infrastructure and they're able to muddy the water or just inject their code to poison the well and to inject their code to the development lifecycle process and to affect the code, potentially it might affect that the customers based on agent updates and whatnot.

Matt Radolec: It seems like as updates come out and I know our marketing hosts are probably super anxious to release our next episode and tell our audience about it, send 'em an email about it, stay [00:28:00] tuned once we have enough to say, we'll definitely have one and maybe it will be on JumpCloud.

And I think we'll have to also, cuz a few people have asked a lot of questions about Active Directory security today. Maybe in the Is There Any Good News segment next time, David, we can put together some good tips on securing AD and hardening AD amidst all of these supply chain vulnerabilities that seem to go after and use Active Directory as a part of that exploit.

What do you guys think about that? Dvir, I know this is a hot topic for you. You've found vulnerabilities in AD yourself, haven't you? 

Dvir Sason: I manage the team that is in charge of actually doing that, but 

Matt Radolec: so humble Dvir. 

Dvir Sason: But yeah, it's just a hot topic to me. Yes. 

Matt Radolec: Sure. It sounds like we got enough for our next episode and stay tuned, you'll get an email update for us when we're ready to go live. As always, thank you to everybody for tuning in. That's it for another episode of State of Cybercrime. Thank you so much. 

Dvir Sason: Thank you