eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
In recent weeks, eSentire has observed multiple Email Bombing attacks, which involve threat actors using phishing techniques to gain remote access to a host in order to install malware. Email Bombing attacks comprise of users receiving large amounts of spam emails in a short period of time, resulting in overwhelming the user's inbox and a degradation of services. This is followed by a Microsoft Teams message from a threat actor claiming to be part of the organization's IT support team, requesting a remote session to help resolve the issue. These attacks have been linked to threat groups involved in ransomware campaigns. eSentire Threat Intelligence assess with high confidence that Email Bombing will continue to be an effective initial access technique.
Due to ongoing abuse, it is recommended that organizations restrict access to external Microsoft tenants unless required for legitimate business purposes. Additionally, following the principle of least privilege can help limit the potential impact of a security breach.
What we're doing about it
IP addresses associated with real-world attacks are blocked via the eSentire Global Block List and additional indicators of compromise have been added to the Threat Intelligence Feed
eSentire's Threat Response Unit is performing threat hunts for known Indicators of Compromise across customer environments
eSentire MDR for Log has detections in place to identify Microsoft Teams messages originating from external accounts from high-risk sources
eSentire MDR for Endpoint has detections in place to identify domain reconnaissance, application control bypass attempts, as well as for malware and ransomware being deployed on an endpoint
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
If required, restrictions should be placed to only allow messages and calls from trusted business partners
Remote Access tools should be restricted via policy, unless required for normal operations
Configure anti-spam policies within Exchange Online to block malicious emails
User Awareness Training should be conducted to make users aware of these types of attacks
Grant remote access only to verified Tech Support teams
Login credentials must be kept secure, and access should not be provided to anyone claiming urgency without proper verification
Ensure users are aware of the process to report potential security incidents
Additional Information
The Email Bombing attack chain involves a user receiving high amounts of spam emails within a short period of time, in an attempt to overwhelm the user. This is then followed by a Microsoft Teams messages originating from threat actor-controlled Microsoft Office 365 service tenants, posing as tech support from the users' organization. This is possible through configuration settings within Microsoft Teams allowing for users on external domains the ability to initiate chats or meetings with internal users.
The threat actors will initiate a request for a call with the victim to help remediate the ongoing email spam issue. While on the call, the threat actor will utilize Microsoft remote control tools such as Quick Assist or Teams screen sharing to take control of the target’s machine. During this session, the threat actor will download further malicious payloads onto the host to gain persistence, perform reconnaissance, gather credentials, exfiltrate data, and drop malware or ransomware. Sophos has attributed related activity to the ransomware-related threat clusters STAC5143 and STAC5777, which have also been documented in public reports as key threat actors in recent cyber threats.
In one instance, eSentire observed a threat actor downloading the following files via the Microsoft Edge web browser (kb052117-01.bpx and kb052123-02.bpx) once the threat actor gained access to the host via a Quick Assist session. The files were downloaded from the domain ‘hxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com/gtjs.html?t=drivers’, and were combined to create the file ‘pack.zip’.
Scripted commands were run, performing various actions with the Zip file, and maintaining a guise of installing email filters for the user to cover their tracks.
This file was extracted using tar[.]exe, and created the ‘%TEMP%\arch1271.cab’ file, where it was copied to the ‘%LOCALAPPDATA%\Microsoft\ODBC’ directory. The ‘arch1271.cab’ file contained the malicious ‘wscapi.dll' which was executed via the ‘odbcconf.exe’process.
Similar actions were performed within the ‘%LOCALAPPDATA%\Microsoft\OneDrive’ directory, which resulted in a legitimate ‘OneDriveStandaloneUpdater.exe’ process being created in the directory as well. After various steps, the script would print ‘Filters installed successfully!’ to cover the threat actor's activity.
A Registry key was also added under ‘HKCU\SOFTWARE\TitanPlus’, containing C2 IPs (45[.]8[.]157[.]199:443;5[.]181[.]3[.]164:443;38[.]180[.]25[.]3:443). The final actions of the script were to delete the kb052117-01.bpx, kb052117-02.bpx, and pack.zip files. This activity was detected via MDR for Endpoint, where the SOC alerted and isolated the host involved.
In other instances of this attack, eSentire has observed PowerShell being used to download additional payloads and establish persistence, once a threat actor has gained remote access to a host. Specifically, the threat actor downloaded TeamViewer for persistence, deployed XenArmor password recovery tool to steal the victim's credentials and leveraged a .NET DLL payload to establish Command-and-Control (C2) connections, load SharpShares in memory to discover network shares, and use Nltest for Domain Controller enumeration.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
