Blog

Ransomware

RESPOND

Les 9 étapes d'un ransomware : comment l'IA réagit à chaque étape

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
22
Dec 2021
22
Dec 2021
Ce blog décompose chaque étape du ransomware, en mettant en évidence les objectifs des attaquants à chaque étape, les techniques qu'ils adoptent pour éviter les défenses conventionnelles et l'activité anormale qui amène l'IA de Darktrace à lancer une réponse ciblée.

Ransomware gets its name by commandeering and holding assets ransom, extorting their owner for money in exchange for discretion and full cooperation in returning exfiltrated data and providing decryption keys to allow business to resume.

Le montant moyen des rançons monte en flèche. Il a atteint 5,3 millions de dollars en 2021, soit une augmentation de 518 % par rapport à l’année précédente. Mais le coût associé à la reprise de l’activité après une attaque par ransomware va bien au-delà du montant de la rançon : après une telle attaque, on constate en moyenne un temps d’arrêt de 21 jours et 66 % des victimes de ransomware rapportent une perte importante de chiffre d’affaires.

Dans cette série, nous analysons ce sujet critique en détail, étape par étape. Les ransomwares comportent plusieurs phases distinctes. Pour les combattre, vous avez besoin d’une solution multiphase qui neutralise chaque l’attaque à chaque stade efficacement et de façon autonome. Découvrir comment l’IA Auto-Apprenante et la Réponse Autonome stoppent les ransomwares instantanément.

1. Intrusion initiale (e-mail)

L’accès initial, première phase d’une attaque par ransomware, peut être établi par force brute sur RDP (service Internet vulnérable), via un site web malveillant ou par un téléchargement opportuniste, par un acteur interne malveillant doté d’identifiants appartenant à l’entreprise, par le biais de vulnérabilités de certains systèmes ou logiciels, ou par de nombreux autres vecteurs d’attaque.

Toutefois, l’e-mail demeure le vecteur d’attaque initial le plus courant. La plus grande faiblesse des organisations en matière de securité sont souvent leurs employés. Les cybercriminels le savent et débordent d’imagination pour exploiter cette vulnérabilité. Ils adressent des e-mails ciblés, bien documentés, à l’aspect légitime à certains employés spécifiques dans le but de susciter une réaction : cliquer sur un lien, ouvrir une pièce jointe, confier ses identifiants ou d’autres informations sensibles.

Les passerelles : stoppent ce qui a déjà été observé

La plupart des outils traditionnels de protection de la messagerie s’appuient sur des indicateurs issus d’attaques antérieures pour tenter de détecter la prochaine menace. Si un e-mail provient d’une adresse IP ou d’un domaine sur liste noire et qu’il utilise un malware connu qui a déjà été observé, il est alors possible de bloquer l’attaque.

En réalité, les cybercriminels savent que la majorité des outils de défense adoptent cette approche historique ; c’est pourquoi ils mettent constamment à jour leur infrastructure d’attaque afin d’échapper à ces outils. En achetant de nouveaux domaines pour quelques centimes, ou modifiant légèrement le code des malwares afin de créer des versions personnalisées, ils évitent et devancent l’approche héritée des passerelles e-mail traditionnelles.

Exemple de situation réelle : attaque par phishing de la chaîne d'approvisionnement

By contrast, Darktrace’s evolving understanding of ‘normal’ for every email user in the organization enables it to detect subtle deviations that point to a threat – even if the sender or any malicious contents of the email are unknown to threat intelligence. This is what enabled the technology to stop an attack that recently targeted McLaren Racing, with emails sent to a dozen employees in the organization each containing a malicious link. This possible precursor to ransomware bypassed conventional email tools – largely because it was sent from a known supplier – however Darktrace recognized the account hijack and held the email back.

Figure 1: A snapshot of Darktrace’s Threat Visualizer surfacing the malicious email

Lire l'étude de cas complète

2. Intrusion initiale (côté serveur)

Comme les organisations ont rapidement étendu leur périmètre connecté à Internet, c’est toute la surface d’attaque qui a augmenté. On a donc logiquement observé une explosion des attaques « traditionnelles » par force brute et côté serveur.

De nombreuses vulnérabilités touchant les serveurs et les systèmes connectés à Internet ont été révélées cette année. Du côté des cybercriminels, il n’a jamais été aussi facile de cibler les infrastructures connectées à Internet : des outils tels que Shodan ou MassScan permettent de parcourir facilement Internet à la recherche de systèmes vulnérables.

Les attaquants peuvent également établir un accès initial en employant une approche par force brute RDP ou des identifiants dérobés ; il est d’ailleurs fréquent de recycler des identifiants légitimes obtenus à partir de fuites de données antérieures. Cette méthode est bien plus précise et génère moins de bruit qu’une attaque par force brute classique.

De nombreux ransomwares utilisent le protocole RDP comme vecteur d’entrée. Cette méthode s’inscrit dans une tendance plus générale, celle du « Living off the Land » : il s’agit d’utiliser des outils légitimes disponibles dans le commerce (utilisation abusive des protocoles RDP ou SMB1 ou d’outils de ligne de commande WMI ou Powershell) pour désorienter les outils de détection et d’attribution en se fondant parmi les activités typiques des administrateurs. Il ne suffit pas de s’assurer que les sauvegardes sont isolées, les configurations renforcées et les correctifs système appliqués : la détection en temps réel de chaque action anormale est vitale.

Antivirus, pare-feu et SIEM

Les antivirus présents sur les endpoints sont uniquement capables de détecter les téléchargements de malware si ce malware a déjà été observé et consigné. Les pare-feu requièrent en général une configuration spécifique à chaque organisation ; ils doivent souvent être modifiés en fonction de l’évolution des besoins de l’entreprise. Si le pare-feu ne contient aucune règle ou signature correspondant exactement à l’attaque rencontrée, il la laissera passer.

Les outils SIEM et SOAR recherchent également des malwares connus en s’appuyant sur des règles prédéfinies et des réponses préprogrammées. Même si ces outils recherchent bel et bien des modèles anormaux, ces modèles sont définis à l’avance, et leur approche part du principe qu’une nouvelle attaque ressemblera suffisamment à des attaques déjà connues.

Exemple de situation réelle : ransomware Dharma

Darktrace a détecté au Royaume-Uni une attaque ciblée utilisant le ransomware Dharma, lancée en exploitant une connexion RDP ouverte sur des serveurs connectés à Internet. Le serveur RDP a commencé à recevoir un grand nombre de connexions entrantes provenant d’adresses IP rares via Internet. L’identifiant RDP utilisé pour cette attaque avait sans doute été compromis avant l’attaque, soit par force brute, soit par des attaques de type stuffing ou phishing. Parmi les techniques couramment utilisées, l’une des plus populaires en ce moment consiste à acheter des identifiants RDP et à passer directement à l’accès initial.

Figure 2 : violations de modèle déclenchées au cours de cette attaque, notamment concernant l’activité RDP anormale

Malheureusement, dans ce cas, la Réponse Autonome n’était pas installée et le ransomware Dharma a continué son déploiement jusqu’aux étapes finales. L’équipe de sécurité a alors dû intervenir de façon agressive en déconnectant le serveur RDP en plein chiffrement.

Lire l'étude de cas complète

3. Mise en place de l’accès initial d’un canal C2

Que ce soit grâce au phishing, à une attaque par force brute ou toute autre méthode, le cybercriminel réussit à pénétrer le réseau. Il prend ensuite contact avec la ou les machine(s) compromise(s) afin d’établir une présence initiale.

Cette étape permet à l’attaquant de contrôler à distance les phases suivantes de l’attaque. Tout au long de ces communications de commande et contrôle (C2), d’autres malwares peuvent être transmis aux machines. Ils renforcent la présence de l’attaquant au sein de l’organisation et facilitent les déplacements latéraux.

Les cybercriminels peuvent adapter les fonctionnalités des malwares à l’aide de différents plug-ins prêts à l’emploi, qui leur permettent de se faire discrets sur le réseau d’entreprise. Les ransomwares modernes et sophistiqués sont capables de s’adapter eux-mêmes à leur environnement et d’opérer de façon autonome, en se fondant dans l’activité normale de l’entreprise, même lorsqu’ils sont déconnectés de leur serveur de commande et contrôle. Ces ransomwares « autosuffisants » posent un problème de taille aux outils traditionnels, qui détectent uniquement les menaces en fonction des connexions externes indésirables qu’elles ont établies.

La détection des connexions isolées face à une compréhension globale de l’entreprise

Les outils de sécurité traditionnels, tels que les systèmes de détection d’intrusions (IDS) et les pare-feu, ont tendance à examiner les connexions isolément au lieu de s’intéresser aux connexions précédentes, potentiellement pertinentes, ce qui rend la détection des canaux C2 très difficile.

Les IDS et les pare-feu sont capables de bloquer les domaines malveillants connus ou d’utiliser une forme de blocage par géolocalisation, mais un cybercriminel averti utiliserait probablement une nouvelle infrastructure dans un tel cas.

Certains aspects ne sont pas analysés par ces outils : la périodicité, la régularité ou l’irrégularité des connexions de communication, l’âge ou encore la rareté du domaine dans le contexte de l’environnement.

Darktrace adapte constamment sa compréhension de l’entreprise numérique. Ainsi, les connexions C2 suspectes et les téléchargements qui s’ensuivent sont détectés, même si le cybercriminel utilise des programmes et des méthodes habituelles pour l’entreprise. La technologie d’IA corrèle de multiples signaux subtils indicateurs de menaces en tenant compte notamment des connexions anormales vers des endpoints récents et/ou inhabituels, des téléchargements de fichiers anormaux, des connexions RDP entrantes, ainsi que des téléversements et téléchargements de données inhabituels.

Once they are detected as a threat, Darktrace RESPOND halts these connections and downloads, while allowing normal business activity to continue.

Exemple de situation réelle : attaque WastedLocker

Lorsqu’une attaque menée à l’aide du ransomware WastedLocker a touché un institut agricole aux États-Unis, Darktrace a immédiatement détecté l’activité C2 SSL initiale inhabituelle (en rapprochant la rareté de la destination, le caractère inhabituel de la méthodologie JA3 et l’analyse de fréquence). Antigena (qui était alors déployée en mode passif, et ne pouvait donc pas mettre en place d’actions autonomes) a immédiatement suggéré de bloquer le trafic C2 sur le port 443 et le scan interne parallèle sur le port 135.

Figure 3 : le Threat Visualizer révèle les actions qui auraient été mises en œuvre par Antigena

Lorsque des activités de balisage ont ensuite été observées vers bywce.payment.refinedwebs[.]com, cette fois via HTTP vers /updateSoftwareVersion, Antigena a relevé son niveau de réponse en bloquant les autres canaux C2.

Figure 4: Antigena escalates its response

Lire l'étude de cas complète

4. Lateral movement

Une fois qu'un attaquant a pris pied au sein d'une organisation, il commence à approfondir sa connaissance de l'ensemble du patrimoine numérique et de sa présence dans celui-ci. C'est ainsi qu'il trouvera et accédera aux fichiers qu'il tentera finalement d'exfiltrer et de chiffrer. Il commence par la reconnaissance : scanner le réseau, dresser une image des dispositifs qui le composent, identifier l'emplacement des actifs les plus précieux.

Then the attacker begins moving laterally. They infect more devices and look to escalate their privileges – for instance, by obtaining admin credentials – thereby increasing their control over the environment. Once they have obtained authority and presence within the digital estate, they can progress to the final stages of the attack.

Modern ransomware has built-in functions that allow it to search automatically for stored passwords and spread through the network. More sophisticated strains are designed to build themselves differently in different environments, so the signature is constantly changing and it’s harder to detect.

Legacy tools: A blunt response to known threats

Because they rely upon static rules and signatures, legacy solutions struggle to prevent lateral movement and privilege escalation without also impeding essential business operations. Whilst in theory, an organization leveraging firewalls and NAC internally with proper network segmentation and a perfect configuration could prevent cross-network lateral movement, maintaining a perfect balance between protective and disruptive controls is near impossible.

Some organizations rely on Intrusion Prevent Systems (IPS) to deny network traffic when known threats are detected in packets, but as with previous stages, novel malware will evade detection, and this requires the database to be constantly updated. These solutions also sit at the ingress/egress points, limiting their network visibility. An Intrusion Detection System (IDS) may sit out-of-line, but doesn’t have response capabilities.

Une approche auto-apprenante

Darktrace’s AI learns ‘self’ for the organization, enabling it to detect suspicious activity indicative of lateral movement, regardless of whether the attacker uses new infrastructure or ‘lives off the land’. Potential unusual activity that Darktrace detects includes unusual scanning activity, unusual SMB, RDP, and SSH activity. Other models that fire at this stage include:

  • Suspicious Activity on High-Risk Device
  • Numeric EXE in SMB Write
  • New or Uncommon Service Control

Autonomous Response then takes targeted action to stop the threat at this stage, blocking anomalous connections, enforcing the infected device’s ‘pattern of life’, or enforcing the group ‘pattern of life’ – automatically clustering devices into peer groups and preventing a device from doing anything its peer group hasn’t done.

Where malicious behavior persists, and only if necessary, Darktrace will quarantine an infected device.

Real-world example: Unusual chain of RDP connections

At an organization in Singapore, one compromised server led to the creation of a botnet, which began moving laterally, predominantly by establishing chains of unusual RDP connections. The server then started making external SMB and RPC connections to rare endpoints on the Internet, in an attempt to find further vulnerable hosts.

Other lateral movement activities detected by Darktrace included the repeated failing attempts to access multiple internal devices over the SMB file-sharing protocol with a range of different usernames, implying brute-force network access attempts.

Figure 5: Darktrace’s Cyber AI Analyst reveals suspicious TCP scanning followed by a suspicious chain of administrative RDP connections

Lire l'étude de cas complète

5. Data exfiltration

In the past, ransomware was simply about encrypting an operating system and network files.

In a modern attack, as organizations insure against malicious encryption by becoming increasingly diligent with data backups, threat actors have moved towards ‘double extortion’, where they exfiltrate key data and destroy backups before the encryption takes place. Exfiltrated data is used to blackmail organizations, with attackers threatening to publish sensitive information online or sell it on to the organization’s competitors if they are not paid.

Modern ransomware variants also look for cloud file storage repositories such as Box, Dropbox, and others.

Many of these incidents aren’t public, because if IP is stolen, organizations are not always legally required to disclose it. However, in the case of customer data, organizations are obligated by law to disclose the incident and face the additional burden of compliance files – and we’ve seen these mount in recent years (Marriot, $23.8 million; British Airways, $26 million; Equifax, $575 million). There’s also the reputational blow associated with having to inform customers that a data breach has occurred.

Legacy tools: The same old story

For those that have been following, the narrative by now will sound familiar: to stop a ransomware attack at this stage, most defenses rely on either pre-programmed definitions of 'bad' or have rules constructed to combat different scenarios put organizations in a risky, never-ending game of cat and mouse.

A firewall and proxy might block connections based on pre-programmed policies based on specific endpoints or data volumes, but it’s likely an attacker will ‘live off the land’ and utilize a service that is generally allowed by the business.

The effectiveness of these tools will vary according to data volumes: they might be effective for ‘smash and grab’ attacks using known malware, and without employing any defense evasion techniques, but are unlikely to spot ‘low and slow’ exfiltration and novel or sophisticated strains.

On the other hand, because by nature it involves a break from expected behavior, even less conspicuous, low and slow data exfiltration is detected by Darktrace and stopped with Darktrace RESPOND. No confidential files are lost, and attackers are unable to extort a ransom payment through blackmail.

Real-world example: Unusual chain of RDP connections

It becomes more difficult to find examples of Darktrace RESPOND stopping ransomware at these later stages, as the threat is usually contained before it gets this far. This is the double-edged sword of effective security – early containment makes for bad storytelling! However, we can see the effects of a double extortion ransomware attack on an energy company in Canada. The organization had the Enterprise Immune System but no Antigena, and without anyone actively monitoring Darktrace’s AI detections, the attack was allowed to unfold.

The attacker managed to connect to an internal file server and download 1.95TB of data. The device was also seen downloading Rclone software – an open-source tool, which was likely applied to sync data automatically to the legitimate file storage service pCloud. Following the completion of the data exfiltration, the device ‘serverps’ finally began encrypting files on 12 devices with the extension *.06d79000. As with the majority of ransomware incidents, the encryption happened outside of office hours – overnight in local time – to minimize the chance of the security team responding quickly.

Read the full details of the attack

It should be noted that the exact order of the stages 3–5 above is not set in stone, and varies according to attack. Sometimes data is exfiltrated and then there is further lateral movement, and additional C2 beaconing. This entire period is known as the ‘dwell time’. Sometimes it takes place over only a few days, other times attackers may persist for months, slowly gathering more intel and exfiltrating data in a ‘low and slow’ fashion so as to avoid detection from rule-based tools that are configured to flag any single data transfer over a certain threshold. Only through a holistic understanding of malicious activity over time can a technology spot this level of activity and allow the security team to remove the threat before it reaches the latter and most damaging stages of ransomware.

6. Data encryption

Using either symmetric encryption, asymmetric encryption, or a combination of the two, attackers attempt to render as much data unusable in the organization’s network as they can before the attack is detected.

As the attackers alone have access to the relevant decryption keys, they are now in total control of what happens to the organization’s data.

Pre-programmed response and disruption

There are many families of tools that claim to stop encryption in this manner, but each contain blind spots which enable a sophisticated attacker to evade detection at this crucial stage. Where they do take action, it is often highly disruptive, causing major shutdowns and preventing a business from continuing its usual operations.

Internal firewalls prevent clients from accessing servers, so once an attacker has penetrated to servers using any of the techniques outlined above, they have complete freedom to act as they want.

Similarly, antivirus tools look only for known malware. If the malware has not been detected until this point, it is highly unlikely the antivirus will act here.

Stopping encryption autonomously

Even if familiar tools and methods are used to conduct it, Autonomous Response can enforce the normal ‘pattern of life’ for devices attempting encryption, without using static rules or signatures. This action can be taken independently or via integrations with native security controls, maximizing the return on other security investments. With a targeted Autonomous Response, normal business operations can continue while encryption is prevented.

7. Ransom note

It is important to note that in the stages before encryption, this ransomware attack is not yet “ransomware”. Only at this stage does it gets its name.

A ransom note is deployed. The attackers request payment in return for a decryption key and threaten the release of sensitive exfiltrated data. The organization must decide whether to pay the ransom or lose their data, possibly to their competition or the public. The average demand made by ransomware threat actors rose in 2021 to $5.3 million, with meat processing company JBS paying out $11 million and DarkSide receiving over $90 million in Bitcoin payments following the Colonial Pipeline incident.

All of the stages up until this point represent a typical, traditional ransomware attack. But ransomware is shifting from indiscriminate encryption of devices to attackers targeting business disruption in general, using multiple techniques to hold their victims to ransom. Additional methods of extortion include not only data exfiltration, but corporate domain hijack, deletion or encryption of backups, attacks against systems close to industrial control systems, targeting company VIPs… the list goes on.

Sometimes, attackers will just skip straight from stage 2 to 6 and jump straight to extortion. Darktrace recently stopped an email attack which showed an attacker bypassing the hard work and attempting to jump straight to extortion in an email. The attacker claimed to have compromised the organization’s sensitive data, requesting payment in bitcoin for its same return. Whether or not the claims were true, this attack shows that encryption is not always necessary for extortion, and this type of harassment exists in multiple forms.

Figure 6: Darktrace holds back the offending email, protecting the recipient and organization from harm

As with the email example we explored in the first post of this series, Darktrace/Email was able to step in and stop this email where other email tools would have let it through, stopping this potentially costly extortion attempt.

Whether through encryption or some other kind of blackmail, the message is the same every time. Pay up, or else. At this stage, it’s too late to start thinking about any of the options described above that were available to the organization, that would have stopped the attack in its earliest stages. There is only one dilemma. “To pay or not to pay” – that is the question.

Often, people believe their payment troubles are over after the ransom payment stage, but unfortunately, it’s just beginning to scratch the surface…

8. Clean-up

Efforts are made to try to secure the vulnerabilities which allowed the attack to happen initially – the organization should be conscious that approximately 80% of ransomware victims will in fact be targeted again in the future.

Legacy tools largely fail to shed light on the vulnerabilities which allowed the initial breach. Like searching for a needle in an incomplete haystack, security teams will struggle to find useful information within the limited logs offered by firewalls and IDSs. Antivirus solutions may reveal some known malware but fail to spot novel attack vectors.

With Darktrace’s Cyber AI Analyst, organizations are given full visibility over every stage of the attack, across all coverage areas of their digital estate, taking the mystery out of ransomware attacks. They are also able to see the actions that would have been taken to halt the attack by Darktrace RESPOND.

9. Recovery

The organization begins attempts to return its digital environment to order. Even if it has paid for a decryption key, many files may remain encrypted or corrupted. Beyond the costs of the ransom payment, network shutdowns, business disruption, remediation efforts, and PR setbacks all incur hefty financial losses.

The victim organization may also suffer additional reputation costs, with 66% of victims reporting a significant loss of revenue following a ransomware attack, and 32% reporting losing C-level talent as a direct result from ransomware.

Conclusion

While the high-level stages described above are common in most ransomware attacks, the minute you start looking at the details, you realize every ransomware attack is different.

As many targeted ransomware attacks come through ransomware affiliates, the Tools, Techniques and Procedures (TTPs) displayed during intrusions vary widely, even when the same ransomware malware is used. This means that even comparing two different ransomware attacks using the same ransomware family, you are likely to encounter completely different TTPs. This makes it impossible to predict what tomorrow’s ransomware will look like.

This is the nail in the coffin for traditional tooling which is based on historic attack data. The above examples demonstrate that Self-Learning technology and Autonomous Response is the only solution that stops ransomware at every stage, across email and network.

DANS LE SOC
Darktrace sont des experts de classe mondiale en matière de renseignement sur les menaces, de chasse aux menaces et de réponse aux incidents. Ils fournissent une assistance SOC 24 heures sur 24 et 7 jours sur 7 à des milliers de clients Darktrace dans le monde entier. Inside the SOC est exclusivement rédigé par ces experts et fournit une analyse des cyberincidents et des tendances en matière de menaces, basée sur une expérience réelle sur le terrain.
AUTEUR
à propos de l'auteur
Dan Fein
VP, Produits

Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace/Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.

Book a 1-1 meeting with one of our experts
share this article
Couverture de base
Aucun élément trouvé.

More in this series

Aucun élément trouvé.

Blog

Email

How to Protect your Organization Against Microsoft Teams Phishing Attacks

Default blog imageDefault blog image
21
May 2024

The problem: Microsoft Teams phishing attacks are on the rise

Around 83% of Fortune 500 companies rely on Microsoft Office products and services1, with Microsoft Teams and Microsoft SharePoint in particular emerging as critical platforms to the business operations of the everyday workplace. Researchers across the threat landscape have begun to observe these legitimate services being leveraged more and more by malicious actors as an initial access method.

As Teams becomes a more prominent feature of the workplace many employees rely on it for daily internal and external communication, even surpassing email usage in some organizations. As Microsoft2 states, "Teams changes your relationship with email. When your whole group is working in Teams, it means you'll all get fewer emails. And you'll spend less time in your inbox, because you'll use Teams for more of your conversations."

However, Teams can be exploited to send targeted phishing messages to individuals either internally or externally, while appearing legitimate and safe. Users might receive an external message request from a Teams account claiming to be an IT support service or otherwise affiliated with the organization. Once a user has accepted, the threat actor can launch a social engineering campaign or deliver a malicious payload. As a primarily internal tool there is naturally less training and security awareness around Teams – due to the nature of the channel it is assumed to be a trusted source, meaning that social engineering is already one step ahead.

Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account (courtesy of Microsoft)
Figure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account (courtesy of Microsoft)

Microsoft Teams Phishing Examples

Microsoft has identified several major phishing attacks using Teams within the past year.

In July 2023, Microsoft announced that the threat actor known as Midnight Blizzard – identified by the United States as a Russian state-sponsored group – had launched a series of phishing campaigns via Teams with the aim of stealing user credentials. These attacks used previously compromised Microsoft 365 accounts and set up new domain names that impersonated legitimate IT support organizations. The threat actors then used social engineering tactics to trick targeted users into sharing their credentials via Teams, enabling them to access sensitive data.  

At a similar time, threat actor Storm-0324 was observed sending phishing lures via Teams containing links to malicious SharePoint-hosted files. The group targeted organizations that allow Teams users to interact and share files externally. Storm-0324’s goal is to gain initial access to hand over to other threat actors to pursue more dangerous follow-on attacks like ransomware.

For a more in depth look at how Darktrace stops Microsoft Teams phishing read our blog: Don’t Take the Bait: How Darktrace Keeps Microsoft Teams Phishing Attacks at Bay

The market: Existing Microsoft Teams security solutions are insufficient

Microsoft’s native Teams security focuses on payloads, namely links and attachments, as the principal malicious component of any phishing. These payloads are relatively straightforward to detect with their experience in anti-virus, sandboxing, and IOCs. However, this approach is unable to intervene before the stage at which payloads are delivered, before the user even gets the chance to accept or deny an external message request. At the same time, it risks missing more subtle threats that don’t include attachments or links – like early stage phishing, which is pure social engineering – or completely new payloads.

Equally, the market offering for Teams security is limited. Security solutions available on the market are always payload-focused, rather than taking into account the content and context in which a link or attachment is sent. Answering questions like:

  • Does it make sense for these two accounts to speak to each other?
  • Are there any linguistic indicators of inducement?

Furthermore, they do not correlate with email to track threats across multiple communication environments which could signal a wider campaign. Effectively, other market solutions aren’t adding extra value – they are protecting against the same types of threats that Microsoft is already covering by default.

The other aspect of Teams security that native and market solutions fail to address is the account itself. As well as focusing on Teams threats, it’s important to analyze messages to understand the normal mode of communication for a user, and spot when a user’s Teams activity might signal account takeover.

The solution: How Darktrace protects Microsoft Teams against sophisticated threats

With its biggest update to Darktrace/Email ever, Darktrace now offers support for Microsoft Teams. With that, we are bringing the same AI philosophy that protects your email and accounts to your messaging environment.  

Our Self-Learning AI looks at content and context for every communication, whether that’s sent in an email or Teams message. It looks at actual user behavior, including language patterns, relationship history of sender and recipient, tone and payloads, to understand if a message poses a threat. This approach allows Darktrace to detect threats such as social engineering and payloadless attacks using visibility and forensic capabilities that Microsoft security doesn’t currently offer, as well as early symptoms of account compromise.  

Unlike market solutions, Darktrace doesn’t offer a siloed approach to Teams security. Data and signals from Teams are shared across email to inform detection, and also with the wider Darktrace ActiveAI security platform. By correlating information from email and Teams with network and apps security, Darktrace is able to better identify suspicious Teams activity and vice versa.  

Interested in the other ways Darktrace/Email augments threat detection? Read our latest blog on how improving the quality of end-user reporting can decrease the burden on the SOC. To find our more about Darktrace's enduring partnership with Microsoft, click here.

References

[1] Essential Microsoft Office Statistics in 2024

[2] Microsoft blog, Microsoft Teams and email, living in harmony, 2024

Continue reading
About the author
Carlos Gray
Product Manager

Blog

A l'intérieur du SOC

Don’t Take the Bait: How Darktrace Keeps Microsoft Teams Phishing Attacks at Bay

Default blog imageDefault blog image
20
May 2024

Social Engineering in Phishing Attacks

Faced with increasingly cyber-aware endpoint users and vigilant security teams, more and more threat actors are forced to think psychologically about the individuals they are targeting with their phishing attacks. Social engineering methods like taking advantage of the human emotions of their would-be victims, pressuring them to open emails or follow links or face financial or legal repercussions, and impersonating known and trusted brands or services, have become common place in phishing campaigns in recent years.

Phishing with Microsoft Teams

The malicious use of the popular communications platform Microsoft Teams has become widely observed and discussed across the threat landscape, with many organizations adopting it as their primary means of business communication, and many threat actors using it as an attack vector. As Teams allows users to communicate with people outside of their organization by default [1], it becomes an easy entry point for potential attackers to use as a social engineering vector.

In early 2024, Darktrace/Apps™ identified two separate instances of malicious actors using Microsoft Teams to launch a phishing attack against Darktrace customers in the Europe, the Middle East and Africa (EMEA) region. Interestingly, in this case the attackers not only used a well-known legitimate service to carry out their phishing campaign, but they were also attempting to impersonate an international hotel chain.

Despite these attempts to evade endpoint users and traditional security measures, Darktrace’s anomaly detection enabled it to identify the suspicious phishing messages and bring them to the customer’s attention. Additionally, Darktrace’s autonomous response capability, was able to follow-up these detections with targeted actions to contain the suspicious activity in the first instance.

Darktrace Coverage of Microsoft Teams Phishing

Chats Sent by External User and Following Actions by Darktrace

On February 29, 2024, Darktrace detected the presence of a new external user on the Software-as-a-Service (SaaS) environment of an EMEA customer for the first time. The user, “REDACTED@InternationalHotelChain[.]onmicrosoft[.]com” was only observed on this date and no further activities were detected from this user after February 29.

Later the same day, the unusual external user created its first chat on Microsoft Teams named “New Employee Loyalty Program”. Over the course of around 5 minutes, the user sent 63 messages across 21 different chats to unique internal users on the customer’s SaaS platform. All these chats included the ‘foreign tenant user’ and one of the customer’s internal users, likely in an attempt to remain undetected. Foreign tenant user, in this case, refers to users without access to typical internal software and privileges, indicating the presence of an external user.

Darktrace’s detection of unusual messages being sent by a suspicious external user via Microsoft Teams.
Figure 1: Darktrace’s detection of unusual messages being sent by a suspicious external user via Microsoft Teams.
Advanced Search results showing the presence of a foreign tenant user on the customer’s SaaS environment.
Figure 2: Advanced Search results showing the presence of a foreign tenant user on the customer’s SaaS environment.

Darktrace identified that the external user had connected from an unusual IP address located in Poland, 195.242.125[.]186. Darktrace understood that this was unexpected behavior for this user who had only previously been observed connecting from the United Kingdom; it further recognized that no other users within the customer’s environment had connected from this external source, thereby deeming it suspicious. Further investigation by Darktrace’s analyst team revealed that the endpoint had been flagged as malicious by several open-source intelligence (OSINT) vendors.

External Summary highlighting the rarity of the rare external source from which the Teams messages were sent.
Figure 3: External Summary highlighting the rarity of the rare external source from which the Teams messages were sent.

Following Darktrace’s initial detection of these suspicious Microsoft Teams messages, Darktrace's autonomous response was able to further support the customer by providing suggested mitigative actions that could be applied to stop the external user from sending any additional phishing messages.

Unfortunately, at the time of this attack Darktrace's autonomous response capability was configured in human confirmation mode, meaning any autonomous response actions had to be manually actioned by the customer. Had it been enabled in autonomous response mode, it would have been able promptly disrupt the attack, disabling the external user to prevent them from continuing their phishing attempts and securing precious time for the customer’s security team to begin their own remediation procedures.

Darktrace autonomous response actions that were suggested following the ’Large Volume of Messages Sent from New External User’ detection model alert.
Figure 4: Darktrace autonomous response actions that were suggested following the ’Large Volume of Messages Sent from New External User’ detection model alert.

External URL Sent within Teams Chats

Within the 21 Teams chats created by the threat actor, Darktrace identified 21 different external URLs being sent, all of which included the domain "cloud-sharcpoint[.]com”. Many of these URLs had been recently established and had been flagged as malicious by OSINT providers [3]. This was likely an attempt to impersonate “cloud-sharepoint[.]com”, the legitimate domain of Microsoft SharePoint, with the threat actor attempting to ‘typo-squat’ the URL to convince endpoint users to trust the legitimacy of the link. Typo-squatted domains are commonly misspelled URLs registered by opportunistic attackers in the hope of gaining the trust of unsuspecting targets. They are often used for nefarious purposes like dropping malicious files on devices or harvesting credentials.

Upon clicking this malicious link, users were directed to a similarly typo-squatted domain, “InternatlonalHotelChain[.]sharcpoInte-docs[.]com”. This domain was likely made to appear like the SharePoint URL used by the international hotel chain being impersonated.

Redirected link to a fake SharePoint page attempting to impersonate an international hotel chain.
Figure 5: Redirected link to a fake SharePoint page attempting to impersonate an international hotel chain.

This fake SharePoint page used the branding of the international hotel chain and contained a document named “New Employee Loyalty Program”; the same name given to the phishing messages sent by the attacker on Microsoft Teams. Upon accessing this file, users would be directed to a credential harvester, masquerading as a Microsoft login page, and prompted to enter their credentials. If successful, this would allow the attacker to gain unauthorized access to a user’s SaaS account, thereby compromising the account and enabling further escalation in the customer’s environment.

Figure 6: A fake Microsoft login page that popped-up when attempting to open the ’New Employee Loyalty Program’ document.

This is a clear example of an attacker attempting to leverage social engineering tactics to gain the trust of their targets and convince them to inadvertently compromise their account. Many corporate organizations partner with other companies and well-known brands to offer their employees loyalty programs as part of their employment benefits and perks. As such, it would not necessarily be unexpected for employees to receive such an offer from an international hotel chain. By impersonating an international hotel chain, threat actors would increase the probability of convincing their targets to trust and click their malicious messages and links, and unintentionally compromising their accounts.

In spite of the attacker’s attempts to impersonate reputable brands, platforms, Darktrace/Apps was able to successfully recognize the malicious intent behind this phishing campaign and suggest steps to contain the attack. Darktrace recognized that the user in question had deviated from its ‘learned’ pattern of behavior by connecting to the customer’s SaaS environment from an unusual external location, before proceeding to send an unusually large volume of messages via Teams, indicating that the SaaS account had been compromised.

A Wider Campaign?

Around a month later, in March 2024, Darktrace observed a similar incident of a malicious actor impersonating the same international hotel chain in a phishing attacking using Microsoft Teams, suggesting that this was part of a wider phishing campaign. Like the previous example, this customer was also based in the EMEA region.  

The attack tactics identified in this instance were very similar to the previously example, with a new external user identified within the network proceeding to create a series of Teams messages named “New Employee Loyalty Program” containing a typo-squatted external links.

There were a few differences with this second incident, however, with the attacker using the domain “@InternationalHotelChainExpeditions[.]onmicrosoft[.]com” to send their malicious Teams messages and using differently typo-squatted URLs to imitate Microsoft SharePoint.

As both customers targeted by this phishing campaign were subscribed to Darktrace’s Proactive Threat Notification (PTN) service, this suspicious SaaS activity was promptly escalated to the Darktrace Security Operations Center (SOC) for immediate triage and investigation. Following their investigation, the SOC team sent an alert to the customers informing them of the compromise and advising urgent follow-up.

Conclusion

While there are clear similarities between these Microsoft Teams-based phishing attacks, the attackers here have seemingly sought ways to refine their tactics, techniques, and procedures (TTPs), leveraging new connection locations and creating new malicious URLs in an effort to outmaneuver human security teams and conventional security tools.

As cyber threats grow increasingly sophisticated and evasive, it is crucial for organizations to employ intelligent security solutions that can see through social engineering techniques and pinpoint suspicious activity early.

Darktrace’s Self-Learning AI understands customer environments and is able to recognize the subtle deviations in a device’s behavioral pattern, enabling it to effectively identify suspicious activity even when attackers adapt their strategies. In this instance, this allowed Darktrace to detect the phishing messages, and the malicious links contained within them, despite the seemingly trustworthy source and use of a reputable platform like Microsoft Teams.

Credit to Min Kim, Cyber Security Analyst, Raymond Norbert, Cyber Security Analyst and Ryan Traill, Threat Content Lead

Appendix

Darktrace Model Detections

SaaS Model

Large Volume of Messages Sent from New External User

SaaS / Unusual Activity / Large Volume of Messages Sent from New External User

Indicators of Compromise (IoCs)

IoC – Type - Description

https://cloud-sharcpoint[.]com/[a-zA-Z0-9]{15} - Example hostname - Malicious phishing redirection link

InternatlonalHotelChain[.]sharcpolnte-docs[.]com – Hostname – Redirected Link

195.242.125[.]186 - External Source IP Address – Malicious Endpoint

MITRE Tactics

Tactic – Technique

Phishing – Initial Access (T1566)

References

[1] https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings

[2] https://www.virustotal.com/gui/ip-address/195.242.125.186/detection

[3] https://www.virustotal.com/gui/domain/cloud-sharcpoint.com

Continue reading
About the author
Min Kim
Cyber Security Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Commencez votre essai gratuit
Darktrace AI protecting a business from cyber threats.