Researchers from Microsoft reported on 25 January 2024 that the Russian state-sponsored threat actors responsible for a cyberattack on its systems in late November 2023 have been targeting other organizations and that it's currently beginning to notify them. The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew tracked as APT29, which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. This threat actor is known to target governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the US and Europe," the Microsoft Threat Intelligence team said in a new advisory.
See: https://redskyalliance.org/xindustry/magicweb
The primary goal of these espionage missions is to gather sensitive information that is of strategic interest to Russia by maintaining footholds for extended periods of time without attracting any attention. The latest disclosure indicates that the scale of the campaign may have been bigger than previously thought. Researchers did not reveal which other entities were singled out.[1]
APT29's operations involve using legitimate but compromised accounts to gain and expand access within a target environment and fly under the radar. It's also known to identify and abuse OAuth applications to move laterally across cloud infrastructures and for post-compromise activity, such as email collection. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to move to the cloud laterally, and exploitation of service providers' trust chains to gain access to downstream customers.
See: https://redskyalliance.org/xindustry/hackers-exploiting-oauth-for-cryptocurrency-mining-phishing
Another tactic uses breached user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. The company pointed out that this enables threat actors to maintain access to applications, even if they lose access to the initially compromised account. These malicious OAuth applications are ultimately used to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts to exfiltrate data of interest.
In the incident targeting Microsoft in November 2023, the threat actor used a password spray attack to infiltrate a legacy successfully non-production test tenant account that did not have multi-factor authentication (MFA) enabled. In this observed Midnight Blizzard activity, the actor tailored their password spray attacks to a limited number of accounts, using few attempts to evade detection and avoid account blocks based on the volume of failures.
The intruders then leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment, weaponizing it to create additional malicious OAuth applications and grant them the Office 365 Exchange Online full_access_as_app role to obtain access to mailboxes.
Such attacks are launched from a distributed residential proxy infrastructure to conceal their origins, allowing the threat actor to interact with the compromised tenant and Exchange Online via a vast network of IP addresses that legitimate users use. Midnight Blizzard's use of residential proxies to obfuscate connections makes traditional indicators of compromise (IoC)-based detection infeasible due to the high changeover rate of IP addresses, forcing organizations to take steps to defend against rogue OAuth applications and password spraying.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2024/01/microsoft-warns-of-widening-apt29.html
Comments