Attaque VEILDrive : Les services Microsoft utilisés comme tactique d'évasion
Recent media reports claim that the ongoing attack campaign being dubbed VEILDrive is leveraging various Microsoft services. Common examples of the service being used in the VEILDrive attack campaign include Teams, SharePoint Quick Assist, and OneDrive. In this article, we’ll dive into how these services are being maliciously leveraged and protection measures that users can deploy. Let’s begin!
The VEILDrive Attack: Initial Discovery
The origin of the VEILDrive attack campaign can be traced back to August 2024 as per Hunters, an Israeli cybersecurity company. Investigation into the attack campaign took place in September 2024, when Team AXON responded to a malicious activity targeting a critical infrastructure in the United States (US).
According to the details of this investigation, various tactics, techniques, and procedures (TTPs) were identified. These TTPs differ significantly from those that usually prevail in similar incidents. Providing insights on the tools that were used and on evasion tactics, experts from Hunter have stated that:
“Leveraging Microsoft SaaS services—including Teams, SharePoint, Quick Assist, and OneDrive—the attacker exploited the trusted infrastructures of previously compromised organizations to distribute spear-phishing attacks and store malware. This cloud-centric strategy allowed the threat actor to avoid detection by conventional monitoring systems.”
In addition, it’s worth noting that the VEILDrive attack campaign has introduced a novel OneDrive-based Command & Control (C&C) method. This C&C method is embedded in the Java-based malware deployed on compromised devices and is known for:
- Defying the evasion-based design using a well-structured code that makes it readable.
- Ensuring effective stealth as it could be detected by both the Endpoint Detection and Response (EDR) solution and VirusTotal security engines on the compromised device.
While this attack methodology is quite straightforward, developing malware can bypass modern detection tools effectively which makes online threats like the VEILDrive attack campaign more alarming. Comprehending how such attacks are initiated and carried out is essential for those keen on ensuring protection and becoming more resilient in an ever-evolving threat landscape.
Initial Exploit And Attack Chain
The most recent VEILDrive attack was initiated with the target organization contacting Team AXON for support pertaining to an ongoing incident. It’s worth noting that this specific VEILDrive attack was centered on an individual device that had been compromised via social engineering.
To initiate the VEILDrive attack, the hacker initially used Microsoft Teams for messaging four selected employees at the targeted and compromised organization. The only criteria for choosing these individuals was that they were based in non-tech roles. To gain the initial access, the hacker impersonated an IT team member.
Once its identity was concealed, the hacker asked each of the four chosen employees to give access to their device via the QuickAssist remote utility tool. It’s worth noting that the VEILDrive attack campaign hacker used an account previously compromised during another attack for this initiative. Commenting on the investigation insights, experts have stated that:
“The above insight was both intriguing and valuable, highlighting the increasing prevalence of phishing through Microsoft Teams and similar communication tools. Distinguishing between successful and failed phishing attempts using M365 audit logs, alongside correlation with EDR logs, can be highly significant for investigations.”
The following step of the attack, the hacker lured victims into activating Microsoft’s Quick Assist tool while providing them with the access code via Teams which ensured that interactive access to the target’s device was acquired.
After that, the hacker shared a download link to the SharePoint of a separate organization. It’s worth noting that the link contained a password-protected .zip file named Client_v8L.zip. Within the file was an additional RMM tool. It’s worth noting that the file is likely to have been downloaded by the attacker via interactive means.
To perform such an action, the VEILDrive attack campaign hacker was equipped with remote access, allowing it to operate under the context of explorer.exe. This operational protocol is what would allow them to download tools as needed by clicking the link. Providing further details, cybersecurity experts have stated that:
“It’s worth mentioning that during the investigation, we correlated M365 audit logs, which provided precise information about the incoming URLs in Microsoft Teams messages, with the EDR telemetry of the victim’s host to fully understand the attacker’s TTPs.”
From here multiple attempts were made to carry out malicious operations by leveraging the remote access. Such operations mainly included efforts to develop persistence and involved things like creating scheduled tasks that execute a file that the attacker has downloaded. After these activities, the threat actor downloads another .zip file named Cliento.zip.
This file is what contains the entire .JAR malware and the Java development kit needed to execute it. Cybersecurity experts have identified various command executions pertaining to the .JAR file used in the VEILDRIVE attack. These include:
- Outgoing DNS Request or Network Activity to
- afeshift390-my.sharepoint.com
- graph.microsoft.com
- login.microsoftonline.com
- Execution of local enumeration commands:
- System specs – Systeminfo
- Machine time information – net time
- UUID of the machine- Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
- USB device enumeration- {$_.interfacetype -eq \“USB\”}”
Mitigation Mechanisms For Increased Security
Before we dive into the mitigation measures that can help organizations and users ensure protection, it’s worth noting that methods used in the VEILDrive attack are ones that can prevail in others attacks.
Therefore, adhering to these protection protocols mentioned below can help improve the overall security posture and make users more resilient in mitigation risk. Some of the many protection measures that can be applied against the VEILDrive attacks and others include:
- Reducing external communications to trusted domains.
- Adding external parties in Teams as guest members.
- Limiting access to remote administration tools.
- Keeping track of commonly used tools.
- Providing comprehensive security training to increase awareness.
Conclusion
The VEILDrive attack demonstrates the increasing sophistication of cyber threats, leveraging trusted platforms like Microsoft Teams and SharePoint to evade traditional defenses and gain entry via social engineering. By exploiting widely used SaaS tools and well-structured malware, attackers manage to bypass security controls and conduct prolonged, stealthy operations.
Implementing robust security protocols can significantly reduce the risk of such advanced attacks. As threats continue evolving, staying vigilant and proactively strengthening defenses is essential for organizations aiming to safeguard against similar campaigns in the future.
The sources for this piece include articles in The Hacker News and Hunters.