November 6, 2024 at 01:57PM
The VEILDrive threat campaign leverages Microsoft services like Teams and SharePoint to distribute malware through spear-phishing. Discovered by Hunters in September 2024, the attack targeted a U.S. critical infrastructure, using compromised accounts and Quick Assist for remote access. This strategy complicates detection of the malware, which connects to adversary-controlled OneDrive.
### Meeting Takeaways – Nov 06, 2024 – Ravie Lakshmanan: SaaS Security / Threat Detection
1. **Threat Campaign Overview**: A campaign named VEILDrive has been identified, leveraging Microsoft services (Teams, SharePoint, Quick Assist, OneDrive) to execute attacks.
2. **Exploited Infrastructure**: The attackers used compromised accounts from previous victims to distribute spear-phishing attacks and host malware, taking advantage of trusted infrastructures.
3. **Incident Discovery**: The campaign was uncovered in September 2024 in response to a cyber incident at a critical infrastructure organization designated as “Org C.”
4. **Initial Compromise**: Attackers impersonated IT staff to gain remote access through Quick Assist, which allowed them to exploit Microsoft Teams’ external access feature to communicate with targeted employees.
5. **Malware Deployment**: The main payload included:
– **LiteManager**: A remote access tool shared via a SharePoint link.
– **Java-based Malware**: Distributed in a ZIP file that included the necessary Java Development Kit (JDK) for execution.
6. **Command and Control Mechanism**: The malware connects to an adversary-controlled OneDrive account for command execution, using hard-coded Entra ID credentials, and employs Microsoft Graph API for PowerShell commands.
7. **Previous Incidents**: Similar tactics were previously reported, including misuse of Quick Assist by the group Storm-1811 to deploy Black Basta ransomware.
8. **Detection Challenges**: The strategy employed complicates detection, as it is designed to bypass conventional defenses with a clear and readable code structure, making it difficult to identify through standard monitoring systems.
9. **Ongoing Monitoring**: Microsoft is witnessing ongoing abuses of legitimate file hosting services as methods to avoid detection.
### Next Steps
– Stay updated on potential patches or protective measures from Microsoft.
– Evaluate internal systems for vulnerabilities related to Microsoft Teams and Quick Assist functionalities.
– Consider additional training for employees on recognizing spear-phishing attempts, especially through legitimate services.
These points highlight the main threats and vulnerabilities associated with the VEILDrive campaign and underscore the need for heightened awareness and preventive measures in SaaS security.