Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Initial Access Broker Ramps Up MS Teams Attacks

A threat actor tracked by Microsoft as Storm-0324 (also TA543/Sagrid) has begun distributing payloads using an open-source tool called TeamsPhisher to send phishing lures through Microsoft Teams chats. Storm-0324 typically acts as an initial access broker - once it has compromised a victim, it then sells off access to other threat actors, by implanting their choice of loader, backdoor, stealer or ransomware (such as JSSLoader for ransomware-as-a-service operator FIN7).

Storm-0324 operates a sophisticated traffic distribution chain to bypass identification and filtering capabilities as they deliver phishing emails and malmails. Their emails often make references to invoices and payments, and they mimic cloud services like DocuSign, Quickbooks Online and others.

The Storm-0324 malware distribution chain typically redirects users to a Sharepoint-hosted compressed file - an MS Office document, a Windows Script File (.wsf) or VBScript - which then launches some malicious JavaScript to download the final malicious DLL payload. Since 2016, Storm-0324 has used a variety of first-stage payloads:

• Nymaim, a first-stage downloader and locker
• Gozi version 3, an infostealer
• Trickbot, a modular malware platform
• Gootkit, a banking trojan
• Dridex, a banking trojan
• Sage ransomware
• GandCrab ransomware
• IcedID, a modular information-stealing malware
• JSSLoader - a modular loader and infostealer

However, in July 2023, Storm-0324 began using phishing lures sent over Microsoft Teams with links leading to a malicious Sharepoint-hosted file, using TeamsPhisher, a Python program that enables Teams tenant users to attach files to messages sent to external tenants. These lures are identified by the Teams platform as "EXTERNAL" users (if the organization has  enabled external access in the first place).

Microsoft has rolled out a number of enhancements to the Accept/Block dialog in one-on-one chats within Teams, to better emphasize the external nature of a user and their email address. There are also new restrictions on the creation of domains within tenants and improved notifications to admins when new domains are created.

Microsoft makes a number of recommendations for Teams customers, including better user education, deployment of phishing-resistant authentication mechanisms such as security keys or software TOTP authenticator apps and allowing chat and meetings with only specific trusted organizations.

Microsoft Threat Intelligence, Malware distributor Storm-0324 facilitates ransomware access, blog post, 12 September 2023. Available online at https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/.

CISA Releases Open Source Software Security Roadmap

The US Cybersecurity & Infrastructure Security Agency has released its Open Source Software Security Roadmap which lays out the agency's path to helping ensure a secure FLOSS ecosystem. The impact of highly-publicized vulnerabilities in open source software, and the related exploits such as Log4Shell, demonstrates that this effort could return significant benefits.

The roadmap lays out four key goals, each with subsidiary objectives:

• Establish CISA's Role in Supporting the Security of OSS
  • Partner with OSS Communities
  • Encourage Collective Action From Centralized OSS Entities
  • Expand Engagement and Collaboration With International Partners
  • Establish and Organize CISA’s OSS Work
• Drive Visibility into OSS Usage and Risks
  • Understand OSS Software Prevalence
  • Develop a Framework for OSS Risk Prioritization
  • Conduct Risk-Informed Prioritization of OSS Projects in Federal Government and Critical Infrastructure
  • Understand Threats to Critical OSS Dependencies
• Reduce Risks to the (US) Federal Government
  • Evaluate Solutions to Aid in Secure Usage of OSS
  • Develop Open Source Program Office Guidance For Federal Agencies
  • Drive Prioritization of Federal Actions in OSS Security
• Harden the OSS Ecosystem
  • Continue to Advance SBOM (Software Bill of Materials) Within OSS Supply Chains
  • Foster Security Education for Open Source Developers
  • Publish Guidance on OSS Security Usage Best Practices
  • Foster OSS Vulnerability Disclosure and Response

The roadmap aims to address two primary classes of open-source vulnerabilities and exploits: the cascading effects of vulnerabilities in widely-used libraries and subsystems which ship as part of larger applications, and supply-chain attacks on open-source repositories, which then lead to compromise of downstream software.

The Agency is inviting feedback on its open-source efforts, at OpenSource@cisa.dhs.gov.

CISA, CISA Open Source Software Security Roadmap, resource, 12 September 2023. Available online at https://www.cisa.gov/resources-tools/resources/cisa-open-source-software-security-roadmap.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.