Popular team phishing attack is said to be linked to Russian government according to Microsoft.
The attack which targets a list of global organizations, is a malicious campaign intended to steal login information’s via Microsoft teams chats.
According to Microsoft SAN Francisco, these hackers’ masquerades as technical support groups.
A Social engineering method which is used by these hackers have been seen to target prominent organizations since the month of May,2023.
In a statement issued on August 02, 2023:
“Microsoft threat intelligence has identified highly targeted social engineering attacks using credentials theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM).”
The threat actors, uses the domains after a successful compromise on Microsoft 365 tenants accounts, to leverage messaging feature on teams.
Series of fictitious messages is sent by the hackers, with the intent to steal credentials from their targeted organization, and obtain the multifactor authentication (MFA) codes.
Microsoft has gone ahead to advice organization using their services, to ignore any authentication requests that were not initiated by them, and messages received should be treated as malicious.
Microsoft research team, discovered that over 40-unique global companies were affected by the attack. The objective of the attack is said to be espionage based target to various industries such as government, non-government organizations (NGO’s), IT services, technology, discrete manufacturing, and media sector.
INFORMATION ABOUT THE THREAT GROUPS:
The threat actors are known as Midnight Blizzard (NOBELIUM).
They are a foreign intelligence group, belonging to the Russian Federation; and based in Russia, according to the US and UK government.
There major targets are government, non-government organizations (NGO’s), IT services, technology, discrete manufacturing, and media sector, primarily based in the United States, and Europe at large, with the sole aim of maliciously obtaining intelligence (sensitive information’s), well-established and unwavering espionage of foreign interests that can be dated far back as the year 2018.
MODE OF OPERATION:
Still utilizing past tricks with additional improvements, the Midnight Blizzard have been showing persistency, and are consistent in their mode of operation, while maintaining similar objectives (obtaining intelligence).
A list of initial access methods used by this group include, the use of stolen credentials to supply chain attacks, exploiting on-premise environments, lateral movement on the cloud, exploitation of service providers trust chain in other to gain access to down stream customers, Active Directory Federation Service (AD FS), malware known as FOGGYWEB and MAGICWEB.
THE GROUP LATEST PHISHING METHODS:
The latest phishing method utilized by the group involves token theft techniques by gaining initial access to the targeted environment.
Other method includes authentication spear-phishing (targeting specific group of persons via phishing emails), brute-forcing, password spraying, and other known credential attack methods. The malicious attack has been observed to occur since late may 2023, and is said to be a subset of a wider range of credential attack campaign attributed to the threat group (Midnight Blizzard).
THE USE OF PROTECTED DOMAIN NAMES IN THEIR SCHEME:
To carry out the attack, the threat group uses small businesses Microsoft 365 tenants that has been previously compromised to host and carry out their social engineering attacks. The compromised tenants accounts, are renamed and a new sub-domain name titled onmicrosoft.com is added by the threat group.
They then further add a new user associated with that domain from which to send the outbound message to the target tenant.
THE SOCIAL ENGINEERING ATTACK CHAIN:
The threat group either target accounts with passwordless authentication configured, or target users account that the credentials has been obtained. The both procedures require the user to input authentication code displayed during the authentication procedures, of the Microsoft authenticator app on their mobile devices.
On attempting to authenticate to an account that requires MFA (Multi-Factor Authentication), a code is presented to the threat actor, which is required to be inputted into the authenticator app. While the user receives a prompt on their mobile device to enter the code, the threat actor proceeds to send a message to the user via MS-Teams message, instructing them to enter the given code in the authenticator prompt app on their mobile device.
If the victim (user) adheres to the instruction from the threat actors, and insert the code in the authenticator app; the threat actor is granted a token to authenticate as the legitimate user (victim). The threat actor then proceeds to conduct a series of compromise activity, including but not limited to adding a device to the organizations Microsoft Entra ID (previously known as Azure Active Directory).
The mitigation of this incidence by Microsoft, was blocking the domains usage by these actors, and also launch an investigation on the activities carried out by the hackers, and working towards remediating the level of impact of these attacks. Other list of recommendations, can be read on the official website of Microsoft.
Please do let us know in the comment section what are your thoughts about this.