Microsoft is shedding light on a cluster of previously undocumented threat activities that originated from a threat actor (aka laundry bear) affiliated with Russia, which is said to be attributed to “cloud abuse around the world.”
Hacking groups, which have been active since at least April 2024, are linked primarily to espionage targeting organizations that are important to the Russian government’s goals, including government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors in Europe and North America.
“They often use stolen sign-in details that are likely to be purchased from the online marketplace to access their organization,” the Microsoft Threat Intelligence team said in a report released today. “When they get inside, they steal a lot of emails and files.”
The attacks attached by Void Blizzard have been found to be disproportionately single NATO countries and Ukraine, suggesting that the enemy is trying to gather intelligence to gather more Russian strategic targets.
Specifically, threat actors are known to target governmental organizations and law enforcement agencies of NATO and countries that provide direct military or humanitarian assistance to Ukraine. It is also said that it successfully attacked Ukraine’s education, transport and defense industries.
This includes the October 2024 compromise on several user accounts belonging to the Ukrainian aviation organization previously targeted by Seashell Blizzard, a threat actor linked to the Russian General Staff Main Intelligence Bureau (GRU), in 2022.
The attack is characterized as an opportunistic, targeted, massive effort designed to violate targets deemed valuable by the Russian government. The initial access method consists of unslearning techniques such as password spraying and stolen authentication credentials.
In some campaigns, threat actors are using stolen credentials that are likely to come from the product information steeler logs available in Cyber Crime Underground to harvest exchanges and files from SharePoint Online and SharePoint Online, as well as compromised organizations.
“Threat actors also used publicly available AzureHound tools to enumerate Microsoft Entra ID configurations for compromised organizations to obtain information about users, roles, groups, applications, and devices belonging to that tenant,” Microsoft said.
Just like last month, Windows makers said they observed that hacking crews shifted to “more direct methods” and “more direct methods” to steal passwords. For example, you can use the attacker (AITM) landing page to send a spear phishing email designed to trick the victim into splitting your login information.
This activity requires the use of a Typosquatted domain, impersonating the Microsoft Entra authentication portal to target over 20 NGOs in Europe and the US. The email message was claimed to be from the organizers of the European Defense and Security Summit and contained a PDF attachment containing a fake invitation to the Summit.
The current desire to want a PDF document is the malicious QR code that redirects to the attacker control domain (“Micsrosoftonline”)[.]com “) hosts a credential phishing page. The phishing page is thought to be based on an open source evil phishing kit.
Post-effect actions after gaining initial access and Microsoft graph abuse enumerate user mailboxes and cloud host files, leveraging automation to facilitate bulk data collection. In some cases, it is also said that threat actors have accessed Microsoft team conversations and messages via web client applications.
“Many of the infringed organizations overlap in the past, or sometimes in some cases, at the same time by other well-known Russian national actors, such as Forest Blizzard, Midnight Blizzard, and Secret Blizzard,” Microsoft said. “This intersection suggests the interest of the shared spy and intelligence collection assigned to the parent organization of these threat actors.”
Invalid snowstorm linked to a September violation of Dutch police agency
Another advice stated that the Dutch Defense Intelligence Agency (MIVD) stated that on September 23, 2024, that contact information related to the police employee’s work was obtained by threat leaders due to violations of Dutch police employee accounts via a Pass Cookie attack.
A pass cookie attack is a scenario in which an attacker uses stolen cookies obtained through information steeler malware to sign in to an account without entering a username and password. Currently, it is not currently known whether other information was stolen, but it is likely that other Dutch organizations have also been targeted.
“Landry Bear is looking for information on the purchase and production of military equipment by the Western government and is looking for western supply of weapons to Ukraine,” Admiral Peter Leesink, Director-General of MIVD, said in a statement.
Source link
