Skip to content

New Data Extortion Group Helix Emerges, Using Vishing and MFA Abuse to Steal SharePoint Data

A new data extortion group has emerged, targeting organizations by stealing sensitive information from their SharePoint environments. The group, known as Helix, uses a combination of vishing (voice phishing), device code phishing, and multi-factor authentication (MFA) abuse to gain access to SharePoint data.

According to researchers at cybersecurity firm ReliaQuest, the initial contact with the target is made through vishing, where the threat actor calls employees while impersonating their manager or using caller ID spoofing. The purpose of this initial contact is to trick the target into device-code phishing schemes, which allows Helix operators to gain access to their accounts.

Once inside, Helix operators quickly register a new multi-factor authenticator app for persistence and then browse and enumerate SharePoint before exfiltrating files. The stolen data is typically used to extort victim organizations by threatening to publish it unless a ransom is paid, or it is sold to other cybercriminals.

One of the strongest technical fingerprints of Helix’s behavior is their use of automated enumeration and collection, which is identical across incidents. This behavior includes using the python-requests/2.28.1 user-agent from IP address 179.43.185[.]230 to issue contentclass:STS_Site and wildcard (*) SharePoint searches to inventory all reachable content.

Researchers at ReliaQuest believe that Helix emerged from the ShinyHunters and BlackFile data extortion groups based on the techniques and infrastructure used. While there is no definitive connection, the researchers found that one Helix attack used an exfiltration IP address in the same autonomous system (AS 51852) as a confirmed BlackFile IP address, suggesting shared resources.

In addition to the link to ShinyHunters, Helix demonstrates a similar social engineering playbook, including vishing, employee impersonation, targeting Microsoft 365, and stealing SharePoint data. The use of the NICENIC registrar is also seen in past ShinyHunters campaigns.

To defend against Helix attacks, researchers recommend disabling device code authentication where possible, restricting SharePoint access to only managed devices, and blocking exchanges with newly registered domains, which Helix typically uses in its attacks.

**Key Takeaways:”

* A new data extortion group called Helix has emerged, targeting organizations by stealing sensitive information from their SharePoint environments.

* Helix uses a combination of vishing, device code phishing, and MFA abuse to gain access to SharePoint data.

* The stolen data is typically used to extort victim organizations by threatening to publish it unless a ransom is paid, or it is sold to other cybercriminals.

* To defend against Helix attacks, researchers recommend disabling device code authentication where possible, restricting SharePoint access to only managed devices, and blocking exchanges with newly registered domains.

**Recommendations:”

* Disable device code authentication where possible to prevent attackers from using it as an entry point.

* Restrict SharePoint access to only managed devices to limit the attack surface.

* Block exchanges with newly registered domains to prevent attackers from using them in their attacks.

**Conclusion:”

The emergence of Helix highlights the importance of robust security measures and employee education. Organizations must be vigilant in protecting themselves against data extortion groups like Helix, which use sophisticated tactics to steal sensitive information. By staying informed and taking proactive steps, organizations can reduce their risk of falling victim to such attacks.

**Related Articles:”

* ShinyHunters Data Extortion Group Targets Microsoft 365 Users

* BlackFile Data Extortion Group Uses Sophisticated Tactics to Steal Sensitive Information

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *