\n\n| | \n\n Detecting and mitigating a multi-stage AiTM phishing and BEC campaign. In April 2023 Microsoft Defender Experts uncovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack against banking and financial services organizations. The attack originated from a compromised trusted vendor and showcases the complexity of AiTM and BEC threats which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud. \n | \n
\n\n| | \n\n Technique profile: Antivirus tampering. One of the first steps many attackers take after the initial compromise of an organization is to identify and tamper with security solutions. By disabling or otherwise tampering with defenses, attackers gain time to install malicious tools, exfiltrate data for espionage or extortion, and potentially launch destructive attacks like ransomware. \n | \n
\n\n| | \n\n Vulnerability profile: MOVEit Transfer zero-day exploitation (CVE-2023-34362). On May 31, 2023, Progress Software Corporation disclosed a critical SQL injection vulnerability (CVE-2023-34362) in their MOVEit Transfer application that could lead to unauthenticated access to the underlying database. Microsoft has observed active exploitation of the MOVEit Transfer vulnerabilities as early as May 27, 2023. \n | \n
\n\n| | \nMediaArena potentially unwanted application detection surge. Microsoft observed an increasing number of detections for a new family of unwanted applications named MediaArena, a highly prevalent family of browser modifier applications that bypass a browser's supported extensibility model to change Microsoft Edge's default search provider. | \n
\n\n| | \nActor profile: Lace Tempest ransomware and extortion group. Lace Tempest (DEV-0950) is a cybercriminal group known to conduct ransomware operations. They target organizations across a diverse array of industries and have traditionally used phishing campaigns and exploited public-facing Serv-U FTP server vulnerabilities to obtain initial access. Recently, Microsoft observed activity originating from Raspberry Robin worm infections attributed to Lace Tempest. | \n
\n\n| | \nActivity Profile: Peach Sandstorm uses sophisticated TTPs in a new campaign. Microsoft observed a resurgence of activity attributed to Peach Sandstorm, an Iran-based nation state actor. While the majority of activity Microsoft saw in this campaign can be characterized as reconnaissance, in March 2023, Microsoft identified a successful intrusion where Peach Sandstorm used a GoldenSAML attack to ultimately exfiltrate data from a compromised organization. | \n
\n\n| | \nActor profile: Cadet Blizzard. Cadet Blizzard (DEV-0586) is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022. Primary targeted sectors include government organizations and information technology providers in Ukraine, although organizations in Europe and Latin America have also been targeted. | \n
\n\n| | \nActor profile: Storm-0288 leverages handoffs from multiple actors to deploy ransomware. Storm-0288 (DEV-0288) is a financially-motivated cybercrime group known to use the malware families PUNCHBUGGY, BadHatch, and White Rabbit, among others. Identified operations have focused on point-of-sale compromise, data exfiltration, extortion, and ransomware deployment. | \n
\n\n| | \nActor profile: Storm-0396 operates LockBit ransomware as a service. Storm-0396 (DEV-0396) is a cybercriminal group known as the likely operators of LockBit ransomware as a service (RaaS). They manage the LockBit RaaS offerings, including LockBit 2.0, LockBit Black (aka LockBit 3.0), the recently discovered variant LockBit Green, and an ESXI variant to encrypt Linux servers. LockBit RaaS is one of the most prominent RaaS models and has historically impacted numerous organizations worldwide. | \n
\n\n| | \nActivity profile: Storm-1359 launches distributed denial of service attacks. Microsoft has attributed distributed denial of service (DDoS) attacks in early June 2023 to the threat actor tracked as Storm-1359. These attacks against multiple Microsoft cloud services, including Microsoft 365 and Azure, likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools. | \n
\n\n| | \nActor profile: Storm-0201. Storm-0201 (DEV-0201) is a criminal group that focuses on the development and distribution of the Emotet malware. They are known to primarily target organizations in opportunistic email attacks worldwide, and prior Storm-0201 infections have led to ransomware. Storm-0201 is tracked by other security companies as Mummy Spider and TA542. | \n
\n\n| | \nActivity profile: Midnight Blizzard credential attacks. Since at least March 2023, Microsoft Threat Intelligence detected an increase in credential attacks and initial access operations utilizing residential proxy services conducted by the threat actor that Microsoft tracks as Midnight Blizzard. The credential attacks use a variety of password spray, brute force, and token theft techniques to gain access to target environments. | \n
\n\n| | \nIoT devices and Linux-based systems targeted by OpenSSH trojan campaign. Microsoft researchers have recently discovered an attack leveraging custom and open-source tools to target internet-facing Linux-based systems and IoT devices. The attack uses a patched version of OpenSSH to take control of impacted devices and install cryptomining malware. | \n
\n\n| | \nTool profile: Greatness adversary-in-the-middle phishing-as-a-service platform. Greatness is a phishing-as-a-service (PhaaS) platform with adversary-in-the-middle (AiTM) capabilities that has been active since mid-2022 and is attributed to the threat that Microsoft tracks as Storm-1295 (DEV-1295). | \n
\n\n
Microsoft
