Are you prepared for attacks from cybercrime groups like Storm-0324 that infiltrate networks and act as distributors for other attack payloads such as ransomware? Understanding cybercriminal tactics is an important step in fighting them. Read this Microsoft article analyzing Storm-0324 tools, tactics and procedures (TTPs) and documented attacks. Learn how Microsoft Defender helps to identify threats such as these and mitigate their impact.
Storm-0324 is a financially motivated group that primarily gains initial access to networks through email-based phishing attacks. They then hand off this access to other threat actors, which often leads to ransomware deployment. This group has been active in distributing various malware payloads, including the JSSLoader, which facilitates access for ransomware actors like Sangria Tempest.
How does Storm-0324 operate?
Storm-0324 employs highly evasive tactics, utilizing email chains that often reference invoices and payments to lure victims. They have recently started using Microsoft Teams to send phishing lures, directing users to malicious SharePoint-hosted files. Their delivery methods include various file formats, such as Microsoft Office documents and JavaScript, to execute their malware.
How can organizations defend against Storm-0324?
Organizations can enhance their defenses by implementing phishing-resistant authentication methods, applying security best practices for Microsoft Teams, and educating users about social engineering tactics. Additionally, using Microsoft 365 Defender can help detect Storm-0324 activity, while maintaining credential hygiene and following the principle of least privilege can limit the impact of potential ransomware attacks.