The NOBELIUM hackers have been linked to Russia and are known for targeting the SolarWinds hack in 2021.
Microsoft has detected a significant surge in credential attack activity orchestrated by the notorious threat actor known as Midnight Blizzard. What sets these attacks apart is the cunning use of residential proxy services to conceal the origin of their malicious activities.
The targets of these nefarious acts include governments, IT service providers, NGOs, defence industry entities, and critical manufacturing units.
Midnight Blizzard, also known by their codename NOBELIUM, employs a range of sophisticated techniques to carry out these credential attacks. The arsenal includes password spray, brute force, and token theft methods.
To compound the threat, the threat actor has been found to employ session replay attacks, allowing them to gain initial access to cloud resources by leveraging stolen sessions likely obtained through illicit means.
One particularly notable aspect of these attacks is the use of low-reputation IP addresses, commonly associated with residential proxy services. By employing compromised credentials, Midnight Blizzard manages to obscure their connections and make it exceedingly difficult to trace their activities.
In a series of tweets, Microsoft explained that to further complicate matters, the threat actor utilizes these IP addresses for brief periods, posing significant challenges to effective scoping and remediation efforts.
It is worth noting that Midnight Blizzard or NOBELIUM is the same group that was behind the devastating SolarWinds hack in late 2021.
To counteract this escalating threat, Microsoft has fortified its defence measures. Microsoft Defender Antivirus, Defender for Endpoint, Defender for Cloud Apps, and Azure Active Directory have all been equipped with robust protections and enhanced detection mechanisms to guard against these attacks.