for Zero Day
| November 21, 2019 — 01:30 GMT (01:30 GMT)
| Topic: Security
Getty Images/iStockphoto
In a statement published today, Microsoft has rebuffed rumors that its Microsoft Teams communication and collaboration platform is being used by cyber-criminal gangs to plant ransomware on company networks.
Like all rumors, their origin is unknown, but they began circulating online in early November after several companies across Spain were infected with the DoppelPaymer ransomware.
@MSFT365Status @Office365 @Microsoft Any update on the ransomware attack in the companies of Spain with “Microsoft Teams”?
— Beowulf (@kampitofreak) November 5, 2019
“Microsoft has been investigating recent attacks by malicious actors using the Dopplepaymer ransomware,” said Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC).
“There is misleading information circulating about Microsoft Teams, along with references to RDP (BlueKeep), as ways in which this malware spreads,” Pope said.
“Our security research teams have investigated and found no evidence to support these claims,” the Microsoft exec said. “In our investigations we found that the malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network.”
Besides rejecting rumors that somehow Microsoft Teams were involved, Pope also addressed a second set of rumors that has also been going around on social media.
These second rumors claimed that cyber-criminals might have used the BlueKeep RDP vulnerability to install the DoppelPaymer ransomware, also in reference to the same attacks detected across Spain.
Also, the Microsoft Teams update thing is being repeated by security companies is sourced from a single tweet speculating about it. It’s not a thing, it was never a thing, it’s not a vector in ransomware. The unsexy truth is attackers get domain admin.
— Kevin Beaumont (@GossiTheDog) November 21, 2019
This is a first-of-its-kind move from the company. Microsoft has never until today issued such a stern statement to correct (such blatantly false) online rumors.
In hindsight, both rumors should have never caught on as they did, with some being repeated in some news media articles, and could have been easily disproved.
First, the DoppelPaymer ransomware is a version of the BitPaymer ransomware, and, historically, has been exclusively distributed via the Dridex botnet or the Emotet botnets (or both).
Computers infected with either the Dridex or Emotet malware are in some cases used to provide ransomware gangs with manual access to companies’ internal networks. Here, as Pope explained above, attackers extract credentials for the company’s internal network to spread laterally to other systems and then install DoppelPaymer on as many systems as they can.
Second, all the attacks were the BlueKeep vulnerability was deployed had the end goal of installing a cryptocurrency miner, something that was made clear by the two researchers who spotted and investigated the initial BlueKeep attacks [1, 2], and even Microsoft itself.
There has yet to be a publicly documented case where BlueKeep has been used to install ransomware.
As security researcher Kevin Beaumont and Rapid7 Chief Data Scientist Bob Rudis have iterated on many occasions, most of the malicious RDP traffic today is RDP brute-force attacks, and not BlueKeep-related exploitation traffic.
Yep. Can confirm. https://t.co/4IDOwNfFRq
— boB Rudis (@hrbrmstr) November 21, 2019
Security
Chrome, Edge, Safari hacked at elite Chinese hacking contest
Thousands of hacked Disney+ accounts are already for sale on hacking forums
Cybersecurity is heading into a recruitment crisis: Here’s how we fix the problem
Fixing data leaks in Jira (ZDNet YouTube)
Best home security of 2019: Professional monitoring and DIY (CNET)
How to control location tracking on your iPhone in iOS 13 (TechRepublic)
Related Topics:
Microsoft
Security TV
Data Management
CXO
Data Centers
for Zero Day
| November 21, 2019 — 01:30 GMT (01:30 GMT)
| Topic: Security