Ongoing Campaign Abusing Small Office and Home Office Devices

Microsoft has revealed the detection of covert and malicious operations aimed at gaining unauthorised access to credentials and conducting network system exploration.

The campaign involves the use of compromised small office and home office (SOHO) network edge devices, such as devices made by the following manufacturers:

• ASUS
• Cisco
• D-Link
• NETGEAR
• Zyxel

Many of these devices allow the owner to expose HTTP or SSH management interfaces to the internet. By proxying through these devices, the threat actor is able to enhance the stealth of their operations.

Observed Tactics, Techniques and Procedures (TTPs)

The threat actor behind the campaign employs a high degree of stealth in their operations, relying heavily on living-off-the-land techniques and hands-on-keyboard activity. The three main steps in their approach involve:

• Data Collection: The threat actor conducts extensive data collection, targeting both local and network systems to obtain valuable credentials.
• Data Staging: Once the data is collected, the threat actor stores it in an archive file to prepare for exfiltration, allowing them to retrieve it later.
• Persistence: The stolen valid credentials are used to maintain long-term access and persistence within the compromised systems.

To further mask their activities, the threat actor routes their traffic through compromised SOHO network equipment such as routers, firewalls, and VPN hardware. In doing so, their malicious traffic blends with legitimate network activity, making it harder to detect. Additionally, the threat actor has been observed utilising custom versions of open-source tools to establish a command and control (C2) channel over proxy. These measures enable them to maintain a low profile and avoid detection while carrying out their operations.

Indicators of Compromise (IOCs)

Possible indicators of compromise (IOCs) associated with the ongoing espionage campaign are shown in the table below.

Prevention and Mitigation Measures

Users and administrators are advised to consider the following measures to defend against the espionage campaign and mitigate the associated risks:

• Enforce Strong Multi-Factor Authentication (MFA): Implement robust MFA policies using hardware security keys or Microsoft Authenticator to reduce the likelihood of compromised valid accounts. Passwordless sign-in, setting password expiration rules, and deactivating unused accounts can also enhance security.
• Reduce Attack Surface: Enable attack surface reduction rules provided by Microsoft to block or audit specific activities associated with the threat. This includes blocking credential stealing from the Windows local security authority subsystem (lsass.exe), blocking process creations from PSExec and WMI commands, and blocking the execution of potentially obfuscated scripts.
• Harden LSASS Process: Enable the Protective Process Light (PPL) feature for LSASS on Windows 11 devices to enhance its security. Windows Defender Credential Guard, available for the Enterprise edition of Windows 11, should also be enabled to protect credentials.
• Enable Cloud-Delivered Protection: Turn on cloud-delivered protection in Microsoft Defender Antivirus to leverage real-time threat intelligence and coverage for evolving attacker tools, techniques, and behaviors.
• Run Endpoint Detection and Response (EDR) in Block Mode: Configure your endpoint detection and response solution, such as Microsoft Defender for Endpoint, to operate in block mode. This ensures that even if other antivirus software fails to detect the threat, malicious artifacts are still remediated by the EDR solution.
• Keep systems and security measures up to date, and enhance the security posture of organisations and help protect against this campaign and similar threats.