Microsoft: Ukrainian media have become a trap for the victims of the Midnight Blizzard group
News about events in Ukraine has become a tool for stealing the data of Roundcube mail users.
Specialists Microsoft discovered a surge in attacks by the Midnight Blizzard group focused on stealing credentials. During attacks, hackers use residential proxy services to hide the original IP addresses attackers targeting governments, IT service providers, NGOs, defense and critical manufacturing sectors.
Midnight Blizzard (Nobelium, APT29, Cozy Bear, Iron Hemlock and The Dukes) captured the world’s attention the SolarWinds supply chain compromise in December 2020 and continues to rely on stealthy tools in its targeted attacks against foreign ministries and diplomatic institutions around the world.
The attacks use various password spraying techniques (Password Spraying), brute force and token theft. According to Microsoft, the attacker also carried out session replay attacks to gain initial access to cloud resources using stolen sessions that were likely acquired through illegal sale.
Experts also reported that APT29 used residential proxy services to route malicious traffic in an attempt to obfuscate connections made using compromised credentials. The hackers likely used these IP addresses for a very short period of time, which could make detection difficult.
By data Center for Cyber Defense and Countering Cyber Threats of Ukraine (CERT-UA), the attacks used emails with attachments exploiting multiple vulnerabilities in the open source Roundcube webmail software ( CVE-2020-12641 , CVE-2020-35730 And CVE-2021-44026 ) for reconnaissance and data collection.
Midnight Blizzard Attack Chain
More importantly, this activity is said to be consistent with attacks exploiting a zero-day vulnerability in Microsoft Outlook ( CVE-2023-23397 ), which Microsoft attributed to the Russian group APT28 (Fancy Bear, Sofacy).