News Wrap: Microsoft Sway Phish, Malicious GIF and Spyware Attacks

cyber attack news wrap podcast

Threatpost editors discuss a phishing attack abusing Microsoft Sway, a Microsoft Teams flaw and an Android spyware campaign unearthed this week.

Threatpost editors Tom Spring, Tara Seals and Lindsey O’Donnell-Welch talk about the biggest news stories of the week ended May 1, including:

  • A “PhantomLance” espionage campaign discovered targeting specific Android victims, mainly in Southeast Asia — which could be the work of the OceanLotus APT.
  • A highly targeted phishing campaign, uncovered this week, with a Microsoft file platform twist, that successfully siphoned the Office 365 credentials of more than 150 executives since mid-2019.
  • A Microsoft vulnerability found in Microsoft Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts.

Listen to the full podcast below or download direct here.

Find a lightly edited transcript of the podcast below.

Lindsey O’Donnell-Welch: Hey, welcome back to the Threatpost news wrap podcast. It’s the week ended Friday May 1. You’ve got myself Lindsey O’Donnell Welch and Tom Spring and Tara Seals with Threatpost here today to talk about the biggest news from this past week. Tom and Tara happy first day of May.

Tara Seals: Hey, Lindsey, happy May day.

Tom Spring: How’s it going?

Lindsey: Good. Well, so Tara, speaking of things that happened this week, you went to SAS@home, and that was Kaspersky’s virtual SAS conference that they held this week, which will be held in addition to the real in person SAS that will take place later in the fall. How was that, what was kind of announced there?

Tara: Yeah, it’s kind of ironic to say that I went to it. I guess I stayed for it. But yeah, so it was great. They basically once they had to postpone their Security Analyst Summit, SAS, to November, we’ll be able to have it in Barcelona then. But in the meantime, you know, Eugene Kaspersky got on and made some opening remarks at the beginning, basically saying that now it’s more important than ever for people to trade threat intelligence and kind of get together and swap ideas and come together and talk. I mean, particularly in the midst of the pandemic, when you have healthcare organizations under attack and things like that. And so, he felt it was important to go ahead and have some kind of event. So they did this three did thing, it was, three hours per day this week for three days. And it was really good, it was it was tightly focused, a lot of just sort of, you know, fun asides and games thrown in the middle of the very serious technical trainings that they had. And they also broke some some news. They released some research on an APT attack in Asia using Google Play as well.

Lindsey: It was a ongoing espionage campaign, right? And I thought that was interesting because they were talking about how this is likely the work of the OceanLotus APT actor, and kind of tying in overlaps with previous OceanLotus activity and how that plays into this previous campaign. So you know, what was going on there?

Tara: Yeah, so they call it the “PhantomLance” espionage campaign and I actually reached out and asked them why they call it that and I haven’t gotten an answer yet, but hopefully I will at some point. But basically, it’s kind of a typical Android campaign in that this particular malware is masquerading or hiding itself within apps that claim to be a legitimate utility apps. So that’s not necessarily anything new there. However, what is new is that these apps, they took great pains to get past the Google Play filters, going so far as to set up GitHub repositories for their so-called developer code, complete with sort of public facing email addresses, like “contact us about your projects” and things like this, they set up this entire backstory, this very elaborate backstory, that this was a legitimate app from a legitimate software company that was being designed. And then they would upload those apps to Google Play, and they wouldn’t have any malicious activity in the first version, but then when they went to update those apps later, that’s when they would introduce the the malware component, which is basically your run of the mill espionage component, can log keystrokes, take screenshots, listening on text messages, that that sort of thing. So it’s notable for a couple of different things, starting with how insidious they were, and how they basically bidded their time in order to upload several different applications to Google Play. And as far as Kaspersky is aware, they’re still there. The effort is still ongoing. They’re still continuing their their efforts to get past Google’s filters.

Lindsey:  It seemed like the malware’s operators actually only infected around 300 targeted attempts that were observed on Android devices. I mean, does that speak to this being more highly targeted type of attack? Or what is that kind of say about the motivations here?

Tara: Yeah. And so that was what really struck them when they were kind of looking at this because all of that behavior, even though it’s sort of, you know, elaborate and complex and takes a lot of effort and all these kinds of things, you know, to get an app into Google Play using those techniques. I mean, it’s still not necessarily anything particularly shocking. I mean, we’ve seen campaigns like that before. But what really stood out to them was the fact that this appeared to be targeted. And a lot of the past Android, Google Play app gambits have been more spray and pray, they just kind of want to infect as many users as possible, and it’s not really targeted.

This particular campaign did definitely seem as though it were targeted. So once a person installed the app, then there would be some fingerprinting done and then they would decide whether or not to deploy the payload afterwards and then the payloads themselves were tailored to the specific end user, so there was a lot of care taken in selecting victims. And that is what made the researchers realize this was most likely an APT attack, a nation-state phase, and then, you know, as you pointed out, they they looked at some code similarities to prior campaigns and determine that this is most likely related to OceanLotus, which is widely considered to be linked with Vietnam.

Lindsey: Yeah, that’s really interesting. And I know, too. I mean, one final question I had was, you mentioned before that this was being distributed through dozens of apps that were on the Google Play official market, but then also third  party marketplaces. Did they talk at all about kind of what the apps were purporting to be and whether that had anything to do with how they were targeting certain people as part of the campaign?

Tara: Yeah, so the campaign was largely focused on targets in Asia. And so some of the apps that they were using were in particular focused on targets in Vietnam. And I also reached out to Kaspersky researchers to find out about the victimology. They’ve got a Vietnamese APT targeting people within their own countries, so was it targeting dissidents, or what’s the end goal here? We don’t know. But a lot of the apps were definitely focused on Vietnamese speakers both, you know, from a language perspective, as well, as you know, what they purported to do. Like there was one that, you know, claimed to – or actually it did have this functionality in it – But it would allow a user to find hubs around them. So a geo-location app, basically you flip that on and see what kinds of bars are around you and you go get a drink with your friends basically.

Lindsey: I’m sure there’s a very particular type of person they were trying to target that one with.

Tara: Exactly, exactly. There was another one that was like religious focused, it had to do with church activities. And if you were looking for church activities in certain cities in Vietnam, this app was targeted to that so things like that. So it’s pretty interesting.

Lindsey: Yeah, well, those highly targeted campaigns as opposed to the spray and pray ones are always of more interest to me just in how they kind of go about,  looking into victims and distributing the malware. And I know, also that I had written a similar type of article this week, actually, just yesterday, there was a report of a super targeted phishing campaign, that researchers had said that it had compromised successfully more than 150 top level executives at various companies over the past half year or so.

And the phishing campaign used a ton of different Microsoft file sharing platforms including Microsoft Sway, which if you guys don’t know what that is, it’s basically Microsoft’s platform for newsletters and presentations. And it also use SharePoint and OneNote and some of the other ones. And it used those to convince the executive to input their Office 365 credentials into the final landing page. And then the attackers would collect those credentials, compromised the entire account of the executive and that would obviously give them these super valuable types of corporate data and they were also able to launch subsequent phishing attacks on other high profile targets other executives and other correspondents.

Tom: I have a question. What was what was the ploy? I mean, how do they actually get people to, like, what was the means in which they were able to trick people into putting their credentials in? I mean, I understand that these they were presenting the targets with Microsoft-based documents, but was it a money order? You know, I’m just curious. I mean, it’s always the ploy that kind of interests me in terms of people, you know, prey on, on sort of the human nature. I’m just curious.

Lindsey: Yeah. So it’s a good question. And so for this particular one, what they were doing was because they had compromised email accounts, and they were targeting correspondents of those emails. One reason why this was so successful is because the victims would receive an email from a business partner, you know, someone who they had had previous correspondence with and it was a legitimate email, but it was attacker control because they had compromised that person.

Tom: So it is from a trusted, a trusted contact, that the hackers had previously sort of compromised and they were using that person’s email address and or account to, to sort of propagate malicious emails to people within their contact list?

Lindsey: Yeah, exactly. So the one that researchers were looking at was to the victim from one of their actual business partners.

Tom: It wasn’t wasn’t spoofed, it was actually it was using the mail server and the actual email address, threatpost typo squatting?

Lindsey: Right. In the email, the contents basically said, “please see this document from us for your review and let us know if you have any concerns.” And yeah, so it would reference a PDF file attachment. And once the victim clicked on that what would happen is it would actually, there was a number of different, like platforms that were used and different pages they would have to go through in order to get to the end phishing landing page, which I thought was kind of interesting.

I don’t know if that necessarily would add an air of legitimacy or if that would make executives kind of scratch their head and be like, “Why do I have to go through all these steps,” but they would essentially be taken from the initial email to the PDF file and from the PDF file, they would go to another file that was a Microsoft Sway file and it was pretending to be an Office 365 notification that said, “you have a new message log in here to learn more.” From there, they would then go to the actual landing page, which would have them sign into their Office 365 account, and that would be attacker controlled, and the attacker would then get their credentials. So it was a pretty strenuous type of campaign that you had to go through. But it seemed like it had the level of detail and sophistication that it was working and successfully compromising executive credentials. That said, they did have a couple of small mistakes that the attackers had made that could signal that this was an attacker-controlled type of campaign. For example, there were some small spelling errors. The landing page that they used for Microsoft Single Sign On for Outlook was actually a phishing kit that appeared to be reused from Microsoft’s Outlook login page from 2017. So if you were more of a savvy user, you might kind of recognize that it looked off. But overall, I mean, it was a pretty, pretty tricky campaign.

Tom: Interesting. Yeah. Interesting.

Lindsey: Yeah. And speaking of Microsoft, Tom, you also had a story about a vulnerability in Microsoft Teams that was made a lot of waves earlier this week. What was that all about?

Tom: Yeah, so you know, one of the things you’re hearing more and more about are these so called zero click attacks, or zero click vulnerabilities. I was just trying to do some research, to digress, I’ve been seeing this phrase, zero click, more and more, I did a quick couple Google searches, it seems to be a rising way of terming these types of attacks, where it really doesn’t take any interaction from the user at all. And the attack is delivered into your inbox or in this case to Microsoft Teams. And this attack specifically was using Microsoft Teams – CyberArk was the research company that developed a proof of concept behind this type of attack – And essentially what it was, was that Microsoft Teams uses a sophisticated sort of authentication mechanism to be able to make sure that when you send either a link to somebody on Teams, or you send a GIF and I do call them GIFs not GIFs. So, you know, you know, hold your comments or whatever. Anyways, if you send an image or a GIF on Microsoft Teams CyberArk found that when the image, the GIF image was delivered to a Microsoft Teams person, because of this authentication mechanism that Microsoft has. They were able to hijack the team’s account or should I say the team’s credentials, so the team members. So if I sent you a malicious GIF image, and you viewed it within your team’s account, I could use that to be able to take over your authentication token and then grab your credentials. Then what I could use from using your credentials, I could further infiltrate the entire team’s ecosystem within a company and get all the credentials. And then you know, you can imagine the lateral types of attacks, or the types of attacks that would be a springboard for further attacks and further compromises. So think of me not necessarily sending a team’s image to you that was malicious, but sending it to a group. And the same thing applies. Now the attackers were in this proof of concept attack by developed by CyberArk, they were taking advantage of again the authentication mechanism, which was using a Microsoft authentication server. And what was happening was, was that in this scenario, there were insecure domain names, or should I say subdomains, that Microsoft had and secured. So the fix was very simple by Microsoft. They just had to update their code to make sure that that their subdomains were not vulnerable to being hijacked. Now, on a separate note, since February, researchers have pounded Microsoft hard on terms of having like hundreds and hundreds of insecure subdomains. And, I don’t know why a company the size of Microsoft hasn’t like locked down all of their subdomains, but this is an example of how insecure subdomains are causing not only man-in-the-middle attack opportunities, but creating real authentication issues on the back end with Microsoft Teams. Very interesting story. It’s far more technical than I’m giving it justice. But I think the main takeaway is, you know, it’s pronounced GIF, not GIF.

Lindsey: Oh, the one takeaway. I think that was an interesting story too, just in terms of a lot of the security concerns and kind of hype around collaboration platforms that’s happening now. And obviously, Zoom has gotten a lot of flack from different researchers. But I think this also goes to show that Microsoft Teams and Skype and Slack are also obviously prone to attacks too. That kind of highlights the basic security precautions that people need to take to protect themselves. I mean, obviously, this is more of making sure that a vulnerability was patched but I do think it’s important too that this shows kind of that this is an issue across all platforms.

Tom: Yeah, there’s no silver lining on a global pandemic. But the one thing that we are definitely seeing is a lot more attention put on the security and reliability of these of these communication platforms that are allowing people to work remotely. A theme that we’ve already seen, and we will continue to see. All of these vulnerabilities existed six months ago. And, these platforms are becoming extremely more secure, which is positive, which is the way it should have been six months ago.

Lindsey: True. That’s, that’s a very good point. Well, on that note, let’s wrap up here, Tom, and Tara, thanks for coming on to talk about the biggest stories that we wrote about this week.

Tom: Thank you.

Tara: Have a great weekend, guys.

Lindsey: You too. And to all our listeners. Thanks for joining us today. If you liked what you heard here, please be sure to share this episode on social media. If you have any comments or thoughts regarding any of the news stories we talked about, please reach out to us on Twitter at @Threatpost and let’s keep the conversation going and if not, catch us next week on the Threatpost podcast.

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles

The State of Secrets Sprawl – Podcast

In this podcast, we dive into the 2022 edition of the State of Secrets Sprawl report with Mackenzie Jackson, developer advocate at GitGuardian. We talk issues that corporations face with public leaks from groups like Lapsus and more, as well as ways for developers to keep their code safe.

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.