A new data-extortion group called Helix is using identity-focused tactics such as voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to steal data from SharePoint environments.
Initial contact is made through vishing. In some cases, the threat actor called employees while impersonating their manager, using either the manager's name or caller ID spoofing to appear legitimate.
The purpose is to trick the target into device-code phishing schemes to gain access to their accounts.
Once inside, Helix operators quickly register a new multi-factor authenticator app for persistence, then browse and enumerate SharePoint before exfiltrating files.
According to researchers at cybersecurity firm ReliaQuest, the stolen data is typically used to extort victim organizations by threatening to publish it unless a ransom is paid, or it is sold to other cybercriminals.
The SharePoint exfiltration behavior is Helix’s strongest technical fingerprint.
"Automated enumeration and collection were identical across incidents and represent the most reliable fingerprint. Enumeration ran from 179.43.185[.]230 using the python-requests/2.28.1 user-agent," the researchers note.
“The operator issued contentclass:STS_Site and wildcard (*) SharePoint searches to inventory all reachable content, then bulk-downloaded from the same IP and user-agent.”
Links to ShinyHunters and BlackFile
ReliaQuest believes that Helix emerged from the ShinyHunters and BlackFile data extortion groups based on the techniques and infrastructure used, although the researchers did not find a definitive connection.
... continue reading