Microsoft seized parts of the infrastructure of a prolific Vietnam-based threat group that the IT giant said was responsible for creating as many as 750 million fraudulent Microsoft accounts that were then sold to other bad actors and used to launch a range of cyberattacks - from ransomware to phishing to identity theft - against Microsoft and other platforms.
The cybercrime-as-a-service operation run by the group Storm-1152 used a Hotmail account to sell the fraudulent Microsoft accounts, social media accounts to market the business, and three websites to house the tools and infrastructure and sell the CAPTCHA solve service that allowed hackers to bypass the anti-bot security feature and set up and use the accounts.
The threat group, which ran the operation like a retail business, pulled in millions of dollars over the past couple of years, according to Amy Hogan-Burney, general manager and associate general counsel for Microsoft's Cybersecurity Policy and Protection unit.
She added that Storm-1152 plays a key role in the CaaS landscape.
As with any as-a-service business, CaaS lowers the bar to entry, enabling less-skilled bad actors to carry out effective attacks and focus their efforts on running ransomware, phishing, spamming, and other criminal campaigns.
CaaS operations are a growing threat, relatively unknown a few years ago and now accounting for about 80% of the attack traffic seen by Arkose Labs' security operation center.
Arkose has been tracking Storm-1152 since 2021 and worked closely with Microsoft to disrupt the group's operations.
Hogan-Burney wrote that multiple groups involved with ransomware, data theft, and extortion used fraudulent accounts from Storm-1152, including Octo Tempest - also known as Scattered Spider - a financially motivated threat actor that uses social engineering tactics to compromise organizations.
Other groups include Storm-0252, which runs phishing campaigns and was back in the news this week for using Google Forms to give its scheme an air of legitimacy.
Another using Storm-1152's services is Storm-0455, the Russia-linked espionage group also known as Stronium and APT29 and the cybercriminals behind the high-profile SolarWinds attack in 2020.
Storm-1152 initially built its business on AnyCaptcha.com, a CAPTCHA solver service that came with a versatile business model, according to Arkose's Gosschalk and Boffa.
The Arkose Cyber Threat Intelligence Research unit first detected the CaaS operation in 2021, a systematic effort that was one of the early solver approaches that used machine learning techniques, they wrote.
The group later started using the aliases 1stCaptcha and NoneCaptcha and operated hotmailbox.
Me, which made it among the largest and most sophisticated of such attackers ACTIR had seen, due in large part to its persistence and rapid pace of innovation.
Hogan-Burney wrote that Microsoft obtained a court order December 7 from the Southern District of New York to seize any of Storm-1152's infrastructure based in the United States and take its website offline, adding that the technology was used to not only create and sell fraudulent Microsoft accounts but also to slip pass security measures on other technology platforms.
In all, the company took down all three CAPTCHA solver websites, the Hotmail account, and the social accounts used to sell the group's services.
It also confirmed the identities of three people leading the Storm-1152 operations - Duong Dinh Tu, Linh Van Nguyễn, and Tai Van Nguyen - who are based in Vietnam.
The three operated the services, wrote the code for the websites, published detailed instructions for using their products via video tutorials, and provided chat services to help those using the services.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 14 Dec 2023 16:13:04 +0000