[German]On June 13, 2023, a blog reader received a message from Defender for Endpoint (ATP). He was notified that there was an outbound connection to IP 20.119.0.42:443 associated with a hacking group "Storm-0900". Later another reader mentioned such an alert. I'll post the information here on the blog – maybe there are others affected – because the IP belongs to a Microsoft Azure instance.
Advertising
The blog reader uses Defender for Endpoint (ATP) on his endpoints and received an alert from it on June 15, 2023 related to the Microsoft Edge browser, see the following screenshot.
Such warnings can occur. However, the details made us suspicious. Microsoft Edge registered an outbound connection to an IP address pointing to a Microsoft Azure instance. Defender then triggers a warning "Outbound connection from 192.168.5.105:58836 to 20.119.0.42:443 MSTIC Storm-0900 activity group." The reader wrote me about this:
Hello Mr. Born,
maybe this is of interest for you.
Yesterday we had a strange message from "Defender for Endpoint (ATP)" on an endpoint.
Supposedly we had an activity of MSTIC STORM-900 related to Edge. The amazing thing after my research was that this IP (20.119.0.42) belongs to MS-Azure.
This IP was registered only about 8-10 days ago.
However, the URL "safe-hse.com" is listed on Virustotal as Malicious/Phishing and has nothing to do with Microsoft. I have sent this to MS IOC@.
Maybe this is of interest for you.
After posting this in my German blog, a 2nd user left a comment, that he was also alerted from another security program too.
WhoIs for the mentioned IP says indeed it belongs to Microsoft. The reader sent me the following screenshot with the resolution of the URL, which contains some additional information.
Advertising
I then had the above URL "shown as resolved by Defender" checked on Virustotal – 17 out of 91 providers report this website as malicious (phishing or malicious).
This indicates that an Azure instance might have been hacked. The reader has contacted Microsoft regarding this warning, but has not yet received a response. Perhaps other readers have received these messages (possibly a phishing email is being distributed with a link to the above website).
Regarding the classification of the "Storm-0900 group", not much concrete can be said. Microsoft has written the following on the support page How Microsoft names threat actors.
For groups in development, i.e., a newly discovered, unknown, emerging, or evolving threat activity group, we use the provisional name "Storm" and a four-digit number that allows us to track it as a unique information group until we have a high level of confidence in the origin or identity of the actor behind the operation
Advertising
