Abuse of Residential Proxy Services, Password Spray Key for Midnight Blizzard Attacks, Microsoft Warns – Here’s What That Means for You
The recent Midnight Blizzard attacks on Microsoft and HPE may be just the beginning, with Russian threat actors already targeting more global organizations, the former warned.
In its detailed analysis of the threat actor and the attack on its infrastructure, the Microsoft Threat Intelligence team noted“This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the US and Europe.”
Midnight Blizzard, also known as Nobelium, APT29 or Cozy Bear, is on the hunt for sensitive data that could be useful to the Russian government, Microsoft added, noting that the campaign is bigger than initially thought and that other companies be the target. , also.
Abuse of compromised accounts
To enter corporate infrastructure, Midnight Blizzard uses compromised accounts and OAuth applications. The Russians would use compromised accounts to grant high privileges to OAuth applications. This allows them to maintain access even if the victim notices the attack and updates the credentials. Their first target is always the email inbox, where they look for important correspondence.
“They use a variety of initial access methods, ranging from stolen credentials to supply chain attacks, exploiting on-premises environments to move laterally to the cloud, and exploiting service providers’ chain of trust to gain access to downstream customers,” it said report. report.
Less than a week ago, news broke that high-level individuals at Microsoft, including senior executives and those working in cybersecurity and legal departments, had been targeted. The attackers, Midnight Blizzard, were reportedly able to steal “some emails and attached documents” relating to themselves.
Shortly afterwards, HPE also said its emails were targeted and that a small percentage of them were accessed.