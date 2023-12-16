Microsoft has warned of an increase in malicious activity by an emerging cyber threat hacker group it is monitoring under the name Storm-0539, specializing in gift card fraud and theft through highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season.

How Storm-0539 works

The goal of the attacks is to spread trap links that direct victims to phishing pages like “opponent-in-the-middle” (“adversary-in-the-middle”, AiTM) capable of collecting their credentials and session tokens.

“After gaining access to an initial session and token, Storm-0539 registers your device for subsequent secondary authentication prompts, evading MFA protections and persisting in the environment using the fully compromised identity“, has declared the tech giant in a series of posts on X (formerly known as Twitter).

The socket obtained in this way further acts as a conduit for access to higher privileges (such as those of administrator), moving laterally across the network and accessing cloud resources in order to acquire sensitive informationspecifically targeting gift card services to facilitate fraud.

Additionally, Storm-0539 harvests emails, contact lists, and network configurations for subsequent attacks against the same organizations, making it necessary to adopt robust credential protection practices (strong, long passwords, use a secondary email, two-step verification, etc.).

Redmond, in its monthly Microsoft 365 Defender report published last month, described the opponent as a financially motivated group that has been active since at least 2021.

“Storm-0539 conducts extensive reconnaissance of target organizations in order to create phishing lures convincing and steal credentials and user tokens for initial login“, has declared Redmond, adding that “The author is well versed in cloud providers and leverages resources from the target organization's cloud services for post-compromise activities.”

Disclosure he arrives days after the company announced it had obtained a court order to seize the infrastructure of a Vietnamese cybercriminal group called Storm-1152, which sold access to approximately 750 million fraudulent Microsoft accounts and tools to bypass identity verification for other technology platforms.

Earlier this week, Microsoft also warned that several threat actors are abusing the OAuth applications to automate financially motivated cybercrimes, such as business email address compromise (BEC), phishing, large-scale spam campaigns and to deploy virtual machines to illicitly mine cryptocurrencies.

How to prevent an attack like Storm-0539

To protect yourself from attacks like the ones described in the article, various security measures can be taken. Here are some recommendations: