Cobalt Strikes MS Teams

Ransomware operators are using malicious fake ads for Microsoft Teams updates to infect systems with backdoors that deployed Cobalt Strike to compromise the rest of the network.

The attacks target organizations in various industries, but recent ones focused on the education sector (K-12), which depends on videoconferencing solutions due to Covid-19 restrictions.

Microsoft is warning its customers about these FakeUpdates campaigns, offering recommendations that would lower the impact of the attack via its Defender ATP service.

For instance, they started using signed binaries and various second-stage payloads.

Microsoft detected in one of the attack , the crooks purchased a search engine ad that caused top results for Teams software to point to a domain under their control.

Clicking on the link downloaded a payload that executed a PowerShell script to retrieve more malicious content. It also installed a legitimate copy of Microsoft Teams on the system to keep victims unaware of the attack.

Microsoft says that in many cases the initial payload was Predator the Thief infostealer, which sends the attacker sensitive information like credentials, browser, and payment data. Other malware distributed this way includes Bladabindi (NJRat) backdoor, and ZLoader stealer.

The malware also downloaded other payloads, with Cobalt Strike beacons being among them, thus allowing the attacker to discover how they could move laterally across the network.

In several of the observed attacks, the last stage was detonating file-encrypting malware on the network computers.

Microsoft is warning that the same patterns seen in the FakeUpdates campaigns using Teams updates as lure were observed in at least six others, suggesting the same actor behind them. In some variations of the same theme, the attacker used the IP Logger URL shortening service.

Mitigation ways

Microsoft recommends using web browsers that can filter and block malicious websites

Control admin privileges to an extent

Microsoft recommends blocking executable files that do not meet specific criteria such as prevalence and age or are outside a regularly maintained trusted list.

Blocking JavaScript and VBScript code from downloading executable content also adds to the defenses of the environment.

O365 Outage and it’s global

Microsoft 365 was down Monday evening, affecting users’ new access request to multiple services including Outlook, Word, Excel and Microsoft Teams.

“We’re investigating an issue affecting access to multiple Microsoft 365 services,” the Microsoft 365 Status account tweeted Monday at 5:44 p.m. ET. “We’re working to identify the full impact and will provide more information shortly.”

“Users may be unable to access multiple Microsoft 365 services,” the software giant posted on its Office status website.

The company determined that a specific portion of its infrastructure was not processing authentication requests in a timely manner. “We’re pursuing mitigation steps for this issue,” the status update said.

Microsoft Office program users who were already logged in would be able to continue their sessions, the company confirmed.

Microsoft Office outage reports began coming in at 5 p.m. ET Monday at online traffic site DownDetector. Some users began reporting a return of service about 8:30 p.m. ET on the site.

The outage stopped work for some, but created more work for some: IT specialists. “The #Office365 outage is generating tickets like crazy,” tweeted one. “I have just told 5 people in a row: ‘No I cannot fix it. Microsoft is working on it.”

But others on Twitter had fun at Microsoft’s expense. “There’s a global 365 outage affecting microsoft outlook, i guess we won Monday after all.”

Another Twitter user posted an a global outage map, noting “The Microsoft 365 Azure Outage isn’t that bad, it’s only down in places with people that are awake.”

MS Teams updater abused with LOL attack

A considerable spike has been observed in the usage of Microsoft Teams collaboration service with millions joining it during the COVID-19 pandemic. Fortunately, before attackers could, researchers have identified a flaw in the Microsoft Teams Updater that rose from the grave.

A flaw was discovered in MS Teams Updater by reverse engineers Reegun Richard and Charles Hamilton in July 2019. By exploiting it, a malicious actor could use the MS Teams Updater to download any binary or payload they wished.

In August 2020, experts found that the flaw is a part of a vulnerability fixed earlier. The changes made by the vendor previously could be bypassed.

An attacker could exploit the flaw by pointing to a remote SMB share. For that, an attacker needs to first move the file inside the targeted network in open shared folders and also require access to the payload from that share to the victim machine.

Another faster way to do it by setting up a Samba server. The attacker could download remote payload, and execute it directly from Microsoft Teams Updater “Update.exe”

Patching history

Previous efforts from Microsoft could not stop attackers from abusing Teams to download and run their payloads.
The previously provided patch for Teams was aimed at restricting its ability to update via a URL, which was the main factor leading to the exploitation. But a workaround was identified to bypass this restriction.
Due to this partially-patched flaw, Microsoft Teams Update.exe binary would act as a LOLbin (Living-off-the-Land binary) to retrieve and execute malware from a remote location.

Precautions

When installing the Microsoft Teams “update.exe”, users should validate the size and hash of the downloaded installer before executing it. All the outgoing SMB connections, particularly those originating from Microsoft Teams updater, should be thoroughly monitored and assessed.

MS Teams moving to OAuth 2.0..

Microsoft has released the Microsoft Teams Rooms, app version 4.4.41.0, on the Microsoft Store and it will deliver new features to all Microsoft Teams Room over the next few weeks. 

The key update – in Microsoft Teams Rooms, app version 4.4.41.0 – is support for modern authentication. This is related to recently announced upcoming changes affecting Exchange Online, which will remove ‘Basic Authentication’ as an option and affects Exchange clients like Microsoft Teams Rooms.  

Exchange Online currently uses Basic Authentication as the default, which means client apps send a username and password across the network with every request. 

While it is simple to set up, it exposes credentials to attackers capturing them on the network and using them on other devices. Basic Authentication is also an obstacle to adopting multi-factor authentication in Exchange Online, said Microsoft. 

Microsoft  intend to Turnoff basic auth  in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP and Remote PowerShell on October 13, 2020. It’s encouraging customers to use the OAuth 2.0 taken-based ‘Modern Authentication’.      

After installing the Teams Room update, admins will be able to configure the product to use Modern Authentication to connect to Exchange, Teams, and Skype for Business services. This move reduces the need to send actual passwords over the network by using OAuth 2.0 tokens provided b Azure Active directory.

While the change is optional until October 13, Microsoft suggests login problems could arise after the cut-off date for Microsoft Teams Rooms configured with basic authentication. 

“Modern authentication support for Microsoft Teams Rooms will help ensure business continuity for your devices connecting to Exchange Online,” .