A brand new information extortion group known as Helix is stealing information from SharePoint environments utilizing identity-focused ways reminiscent of voice phishing (vishing), system code phishing, and multi-factor authentication (MFA) abuse.
Preliminary contact might be made by means of Vishing. In some instances, attackers impersonated managers to name staff and used spoofing of the supervisor’s identify or caller ID to seem official.
The purpose is to trick the goal into a tool code phishing scheme and achieve entry to their account.
As soon as inside, the Helix operator rapidly registers a brand new multi-factor authentication app for persistence and enumerates by shopping SharePoint earlier than extracting recordsdata.
Researchers at cybersecurity agency ReliaQuest say stolen information is often used to blackmail sufferer organizations by threatening to launch them until they pay a ransom or promote it to different cybercriminals.
SharePoint’s leaky habits is Helix’s strongest technical signature.
“Computerized enumeration and assortment is identical throughout incidents and represents probably the most dependable fingerprint. Enumeration was carried out from: 179.43.185(.)230 utilizing python-requests/2.28.1 consumer agent,” the researchers level out.
“Issued by the operator Content material class:STS_Site and wildcard
SharePoint searches and inventories all reachable content material and bulk downloads it from the identical IP and consumer agent. ”
Hyperlinks to ShinyHunters and BlackFile
ReliaQuest believes Helix emerged from the ShinyHunters and BlackFile information extortion teams primarily based on the expertise and infrastructure used, however researchers haven’t discovered a definitive connection.
Over the previous month, Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and the College of Nottingham have confirmed information breaches beforehand claimed by Shiny Hunters.
The now-defunct BlackFile information extortion group used identity-based assaults and social engineering to focus on organizations earlier than going dormant in April.
ReliaQuest analysis discovered that one Helix assault used an uncovered IP handle inside the similar autonomous system (AS 51852) that hosts the confirmed BlackFile IP addresses, suggesting a shared useful resource.
Moreover, Helix, which appeared shortly after BlackFile’s shutdown, might point out a potential continuation of the defunct operation. ReliaQuest additionally mentions Pink and Redact as potential successors.
Relating to the hyperlink to ShinyHunters, Helix displays a really related social engineering playbook, together with vishing, worker impersonation, Microsoft 365 focusing on, and SharePoint information theft.
The second clue is using the NICENIC registrar, which has additionally been seen in previous ShinyHunters campaigns.
As the best protection in opposition to Helix assaults, researchers advocate disabling system code authentication every time potential.

Article picture
Safety groups doc 54% of profitable assaults and concern a warning on solely 14%. The remainder strikes invisibly by means of the surroundings.
Picus’ whitepaper reveals how one can check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
