uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

Microsoft warns of widespread credential theft by Russian hackers.

Midnight Blizzard, a hacker collective with ties to the Russian government, has increased its use of credential-stealing attacks, according to a statement from Microsoft.

Governments, IT service providers, NGOs, the defense industry, and critical manufacturing sectors are among the industries targeted by the intrusions, according to the threat intelligence team of the tech giant. The intrusions used residential proxy services to conceal their source IP address.

APT29, Cozy Bear, Iron Hemlock, and The Dukes are additional tracking names for Midnight Blizzard, formerly known as Nobelium.

The group, which gained notoriety after compromising the SolarWinds supply chain in December 2020, has persisted in using covert tooling in its targeted assaults on foreign ministries and diplomatic organizations.

They are a particularly potent actor in the field of espionage because of how determined they are to continue their operations in spite of being discovered.

In a series of tweets, Microsoft stated that "these credential attacks use a variety of password spray, brute-force, and token theft techniques," and that the actor "conducted session replay attacks to gain initial access to cloud resources leveraging stolen sessions likely acquired via illicit sale. ".

APT29 was also criticized by the tech giant for using residential proxy services to send malicious traffic in an effort to obfuscate connections made with stolen credentials.

The threat actor probably only used these IP addresses for a very brief period of time, which could make scoping and remediation difficult, according to the Windows developers.

The news comes as Recorded Future revealed a fresh spear-phishing campaign launched in November 2021 by APT28 (also known as BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear) that targets Ukrainian military and government institutions.

Several vulnerabilities in the free and open-source Roundcube webmail program (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) were exploited by the attacks using emails with attachments to conduct reconnaissance and data gathering.

Microsoft.

The Russian military intelligence hackers used rogue JavaScript malware to set up a redirection system that sent targeted people's incoming emails to an address under the attackers' control and stole their contact lists after a successful breach.

The cybersecurity company claimed that the campaign "displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients.". "The spear-phishing emails mimicked legitimate media sources in terms of both subject lines and content, and they included news themes pertaining to Ukraine. ".

Cybersecurity.

More importantly, the activity is alleged to be related to a different series of attacks that weaponized a then-zero-day flaw in Microsoft Outlook (CVE-2023-23397), which Microsoft disclosed as being used in "limited targeted attacks" against European organizations.

The March 2023 Patch Tuesday updates included fixes for the privilege escalation vulnerability.

The results show Russian threat actors' persistent efforts to gather useful information on numerous entities in Ukraine and throughout Europe, particularly after the country was fully invaded in February 2022.

The widespread use of wiper malware, which deletes and destroys data, has made the cyberwarfare operations against Ukrainian targets stand out as one of the first instances of extensive hybrid conflict.

In order to support broader Russian military efforts, Recorded Future said that BlueDelta "will almost certainly continue to prioritize targeting Ukrainian government and private sector organizations.".