Tuesday, February 27, 2024
HomeSECURITYUkrainian media have become a trap for the victims of the group...

Ukrainian media have become a trap for the victims of the group Midnight Blizzard


Microsoft: Ukrainian media have become a trap for the victims of the Midnight Blizzard group

News about events in Ukraine has become a tool for stealing the data of Roundcube mail users.

Specialists Microsoft discovered a surge in attacks by the Midnight Blizzard group focused on stealing credentials. During attacks, hackers use residential proxy services to hide the original IP addresses attackers targeting governments, IT service providers, NGOs, defense and critical manufacturing sectors.

Midnight Blizzard (Nobelium, APT29, Cozy Bear, Iron Hemlock and The Dukes) captured the world’s attention the SolarWinds supply chain compromise in December 2020 and continues to rely on stealthy tools in its targeted attacks against foreign ministries and diplomatic institutions around the world.

The attacks use various password spraying techniques (Password Spraying), brute force and token theft. According to Microsoft, the attacker also carried out session replay attacks to gain initial access to cloud resources using stolen sessions that were likely acquired through illegal sale.

Experts also reported that APT29 used residential proxy services to route malicious traffic in an attempt to obfuscate connections made using compromised credentials. The hackers likely used these IP addresses for a very short period of time, which could make detection difficult.

By data Center for Cyber ​​Defense and Countering Cyber ​​Threats of Ukraine (CERT-UA), the attacks used emails with attachments exploiting multiple vulnerabilities in the open source Roundcube webmail software ( CVE-2020-12641 , CVE-2020-35730 And CVE-2021-44026 ) for reconnaissance and data collection.

Midnight Blizzard Attack Chain

The targeted phishing emails contained news topics related to Ukraine, with topics and content reflecting real media sources. The successful hack allowed the hackers to deploy JavaScript malware that redirected victims’ incoming emails to an email address under the attackers’ control and also stole the targets’ contact lists.

More importantly, this activity is said to be consistent with attacks exploiting a zero-day vulnerability in Microsoft Outlook ( CVE-2023-23397 ), which Microsoft attributed to the Russian group APT28 (Fancy Bear, Sofacy).

Source link



Please enter your comment!
Please enter your name here

Most Popular