Microsoft said it has detected a spike in credential theft attacks by a Russian state-owned hacking group known as Midnight Blizzard.
The intrusion relies on residential proxy services to obfuscate the attacking IP addresses and targets governments, IT service providers, NGOs, defense and critical manufacturing sectors, according to the technology giant’s threat intelligence team. It is said that
Midnight Blizzard, formerly NobleAPT29, Cozy Bear, Iron Hemlock, and The Dukes.
The group, which gained global attention in December 2020 for its SolarWinds supply chain breach, continues to rely on invisible tools in targeted attacks aimed at foreign ministries and diplomatic agencies.
This is a sign of their determination to continue to operate despite being exposed, which makes them particularly formidable in the field of espionage.
“These credential attacks use a variety of password spray, brute force, and token theft techniques,” Microsoft said. Said In a series of tweets, the attackers added, “Using stolen sessions, believed to be obtained through illicit sales, they also performed session replay attacks to gain initial access to cloud resources.” rice field.
The tech giant also accused APT29 of using residential proxy services to route malicious traffic in order to obfuscate connections made using leaked credentials.
“Attackers may have used these IP addresses for a very short period of time, which can make investigation and remediation difficult,” the Windows maker said.
This development is being announced by Recorded Future, a new spear organized by APT28 (aka BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, Fancy Bear) targeting Ukrainian government agencies and military organizations from November 2021 onwards. It took place in detailing a phishing campaign.
The attack leverages emails with attachments that exploit multiple vulnerabilities (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) in the open-source Roundcube webmail software. , reconnaissance and data collection were carried out.
Successful infiltration allowed Russian military intelligence hackers to deploy malicious JavaScript malware to redirect targeted individuals’ incoming emails to attacker-controlled email addresses and steal contact lists I was able to.
“This campaign demonstrated a high level of preparedness and rapidly weaponized news content as bait to exploit recipients,” said the cybersecurity firm. “The spear-phishing email contained news themes related to Ukraine, with subject lines and content reflecting legitimate media sources.”
More importantly, this activity is said to coincide with another series of attacks weaponized by a then zero-day flaw in Microsoft Outlook (CVE-2023-23397), in which Microsoft issued a “limited It was revealed that it was used for targeted attacks.
This privilege escalation vulnerability was addressed as part of the Patch Tuesday update deployed in March 2023.
The findings demonstrate the relentless efforts of Russian threat actors to gather valuable information on various entities in Ukraine and across Europe, especially after the full-scale invasion of Ukraine in February 2022.
The cyber warfare operation targeting Ukraine has been particularly marked by the widespread deployment of wiper malware aimed at deleting and destroying data, turning it into one of the early examples of a large-scale hybrid conflict. .
Recorded Future concluded that “Blue Delta will almost certainly continue to prioritize Ukrainian government and private sector entities to support Russia’s broader military operations.”
