Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
Cyberbandits came from where no one expected them.
The Israeli cybersecurity company Hunters has recorded the activity of the VEILDrive cyber group, which uses legitimate Microsoft services - Teams, SharePoint, Quick Assist and OneDrive - to spread phishing attacks and place malware. Experts discovered the campaign in September 2024 while investigating an incident at one of the critical infrastructure organizations in the United States, designated "Organization C".
The cyberattack began back in August and culminated in the introduction of Java-based malware that uses OneDrive for command-and-control infrastructure. The attackers sent messages via Teams to employees of "Organization C", disguising themselves as IT specialists and requesting remote access through Quick Assist.
A feature of the attack was the use of the victim's existing account ("Organization A"), rather than the creation of a new one. This bypassed standard security measures thanks to the external access feature in Microsoft Teams, which by default allows communication with users from other organizations.
The next stage of the attack involved sending a link to download an archive file via SharePoint. The archive contained the LiteManager remote access program, which cybercriminals used to create scheduled tasks and further monitor the system. In addition, they downloaded a second ZIP file with the malware in Java Archive (JAR) format, which allowed it to connect to a compromised OneDrive account to execute PowerShell commands via the Microsoft Graph API.
Cybercriminals have also provided a backup mechanism — connecting to a remote Azure virtual machine via HTTPS in order to receive commands and execute them on the system.
This attack is not the first where Quick Assist has been used for fraud. In May 2024, Microsoft warned about the abuse of this service by the Storm-1811 group, which posed as technical support employees and distributed the Black Basta ransomware.
In recent months, there has also been an increase in the use of SharePoint and OneDrive services to circumvent security systems. Hunters notes that this strategy is based on a simple and structured code base, which makes it much more difficult to detect malware in real time and makes it uncharacteristically "transparent".
Source
The Israeli cybersecurity company Hunters has recorded the activity of the VEILDrive cyber group, which uses legitimate Microsoft services - Teams, SharePoint, Quick Assist and OneDrive - to spread phishing attacks and place malware. Experts discovered the campaign in September 2024 while investigating an incident at one of the critical infrastructure organizations in the United States, designated "Organization C".
The cyberattack began back in August and culminated in the introduction of Java-based malware that uses OneDrive for command-and-control infrastructure. The attackers sent messages via Teams to employees of "Organization C", disguising themselves as IT specialists and requesting remote access through Quick Assist.
A feature of the attack was the use of the victim's existing account ("Organization A"), rather than the creation of a new one. This bypassed standard security measures thanks to the external access feature in Microsoft Teams, which by default allows communication with users from other organizations.
The next stage of the attack involved sending a link to download an archive file via SharePoint. The archive contained the LiteManager remote access program, which cybercriminals used to create scheduled tasks and further monitor the system. In addition, they downloaded a second ZIP file with the malware in Java Archive (JAR) format, which allowed it to connect to a compromised OneDrive account to execute PowerShell commands via the Microsoft Graph API.
Cybercriminals have also provided a backup mechanism — connecting to a remote Azure virtual machine via HTTPS in order to receive commands and execute them on the system.
This attack is not the first where Quick Assist has been used for fraud. In May 2024, Microsoft warned about the abuse of this service by the Storm-1811 group, which posed as technical support employees and distributed the Black Basta ransomware.
In recent months, there has also been an increase in the use of SharePoint and OneDrive services to circumvent security systems. Hunters notes that this strategy is based on a simple and structured code base, which makes it much more difficult to detect malware in real time and makes it uncharacteristically "transparent".
Source
