Top Highlights
-
The investigation revealed two separate threat actors operating simultaneously within a compromised environment, complicating detection and attribution efforts.
-
Attackers used legitimate tools such as Velociraptor, Cloudflare tunnels, Zoho Assist, and VS Code SSH to covertly maintain persistent access and evade security measures.
-
The campaign targeted on-premises SharePoint servers, exploiting known vulnerabilities and deploying tools for privilege escalation, long-term control, and stealthy network movement.
- Microsoft’s response highlighted the importance of patching vulnerabilities, strengthening identity security, monitoring remote access tools, and maintaining robust incident response plans to defend against multi-actor intrusions.
Key Challenge
A routine ransomware investigation unexpectedly revealed a more complex threat landscape. Initially focusing on a single intrusion, security researchers discovered two distinct threat actors operating within the same compromised environment. One group, identified as Storm-2603, exploited vulnerabilities on on-premises SharePoint servers, using trusted tools like Velociraptor, Cloudflare tunnels, Zoho Assist, and VS Code SSH to maintain long-term access. They employed tactics such as privilege escalation and system driver exploitation, making their activities indistinguishable from legitimate administrative tasks. Meanwhile, a second threat actor relied on different malicious methods, including DLL sideloading and custom backdoors, further complicating the attribution process. This overlap created significant challenges for detection and containment, as signals from multiple malicious campaigns intertwined, muddying the investigation’s clarity. Microsoft’s DART team responded swiftly, correlating telemetry data and activating a structured response playbook that ultimately contained the intrusion. The incident underscores the importance of patching vulnerabilities, securing identities, and monitoring remote access tools to prevent such multi-faceted attacks in the future.
Risk Summary
The issue of hackers exploiting tools like Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS Code SSH for persistence can severely impact your business. Once attackers gain access, they can maintain stealthy control, evade detection, and continuously exploit your systems. As a result, sensitive data could be stolen, leading to regulatory penalties, loss of customer trust, and financial damage. Moreover, operational disruptions may cause downtime, affecting productivity and revenue. Ultimately, if your business falls victim to this type of attack, the consequences could be costly and long-lasting, emphasizing the importance of strong security measures to prevent such breaches.
Possible Actions
Addressing hackers’ use of tools like Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS Code SSH for persistence is crucial to maintaining the integrity and security of your systems. Timely remediation ensures that malicious actors do not establish long-term control, minimizing potential damage and preventing future exploitation.
Containment Measures
- Isolate affected assets
- Disable compromised accounts or services
Detection & Analysis
- Conduct thorough log analysis
- Identify unusual activity patterns
Eradication Procedures
- Remove unauthorized software and tools
- Patch exploited vulnerabilities
Recovery Actions
- Restore systems from clean backups
- Verify system integrity before bringing online
Preventive Strategies
- Implement strong access controls and multi-factor authentication
- Apply regular software updates and patches
- Disable unnecessary remote access features
- Establish strict monitoring and alerting protocols
Stay Ahead in Cybersecurity
Stay informed on the latest Threat Intelligence and Cyberattacks.
Explore engineering-led approaches to digital security at IEEE Cybersecurity.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
