Russian Hackers Who Hacked Microsoft Also Targeted Other Organizations – CybersecurityNews

On January 12, 2024, Microsoft identified a nation-state threat actor, “Midnight Blizzard,” attacking their corporate systems. Upon discovery, Microsoft deployed its incident response process to disrupt the malicious activity and mitigate the attack.
Notably, Microsoft has been tracking “Midnight Blizzard” for quite some time now.
However, Microsoft stated that the infiltration was possible due to a legacy test account that had a weak password potentially proving vulnerable to the password-spray attack
from the threat actors. Microsoft identified the attack by reviewing their Microsoft Exchange Web Services activity and reviewing their audit log features.
According to the reports shared with Cyber Security News, Midnight Blizzard is a Russian state-sponsored threat actor responsible for compromising several governmental and private entities of foreign interest to Russia. 
Their targeted industries include governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers in the US and Europe. This particular threat actor has been active since 2018, and their primary focus is the espionage of foreign interests.
Midnight Blizzard uses several attack methods for espionage and intelligence gathering, such as stolen credentials, supply-chain attacks, lateral movement to the cloud, abusing OAuth applications, and many others. 
As of the current attack against Microsoft, it has been discovered that the threat actor has been using password spray attacks on a specific set of accounts with only a tailored list of passwords to evade detection of threat activity.
The threat actor also launched these attacks from a residential proxy infrastructure consisting of several IP addresses that legitimate users use. This increased their evasion percentage and a long-time attack, which became successful.
Once the account has been compromised, the threat actor uses malicious OAuth applications to maintain persistence on the compromised account. In addition, the threat actor also created a new user account that uses the attacker-controlled malicious OAuth application to log in.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
This malicious OAuth was again used to authenticate into Microsoft Exchange Online to further target Microsoft Corporate email accounts. However, the threat actor also used the legacy test OAuth application to grant them access to the Office 365 Exchange Online with a full_access_as_app role, providing access to the mailboxes.
Furthermore, Microsoft also stated that “Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.
Microsoft detailed this threat actor, which provides detailed information about the defense guidance, protection guidance, steps to mitigate, hunting methodologies, and many other information.
The Midnight Blizzard, also known as Cozy Bear, also had breached its HPE cloud-based email environment. 
Today Hewlett-Packard disclosed to the SEC that they were compromised by APT29 a/k/a/ Cozy Bear a/k/a/ Midnight Blizzard

Information via @pancak3lullz pic.twitter.com/9HH1WLy6t8
Cozy Bear had likely been lurking within HPE’s system since May 2023, pilfering data from a select group of mailboxes across various departments, including cybersecurity itself. 

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *