IN SUMMARY:
- Midnight Blizzard (aka NOBELIUM) was also involved in the SolarWinds hack.
- The group used hacked Microsoft 365 tenants owned by small businesses.
- The reported campaign impacted fewer than 40 unique global organizations.
- The goal of Midnight Blizzard is to collect intelligence through espionage.
- Microsoft has taken measures to mitigate the domains used by the group.
Microsoft has recently disclosed a highly targeted social engineering attack by the threat actor known as Midnight Blizzard (previously tracked as NOBELIUM). The attack involves credential theft phishing lures sent via Microsoft Teams chats, and it demonstrates the actor’s continued use of both new and traditional techniques to achieve its objectives.
According to Microsoft Threat Intelligence, the latest activity involves Midnight Blizzard using previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear to be legitimate technical support entities.
Using these domains, the threat actor sends Teams messages as lures to steal credentials from targeted organizations. The attack relies on engaging users and eliciting approval of multifactor authentication (MFA) prompts, ultimately giving the actor access to the victims’ Microsoft 365 accounts.
This campaign has impacted fewer than 40 unique global organizations. These targets indicate that Midnight Blizzard’s objectives primarily revolve around espionage, with a specific focus on government entities, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
Midnight Blizzard, attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation (SVR), is well-known for targeting governments, diplomatic entities, NGOs, and IT service providers primarily in the US and Europe.
According to Microsoft’s report, their main goal is to collect intelligence through dedicated espionage, and their operations have been ongoing since early 2018. The threat actor uses various initial access methods, including stolen credentials, supply chain attacks, and exploitation of on-premises environments to move laterally to the cloud.
To execute their latest attack, Midnight Blizzard uses security-themed or product name-themed domain names in their phishing lures. They compromise Microsoft 365 tenants of small businesses to host and launch the social engineering attacks. This tactic includes renaming the compromised tenant, adding a new subdomain, and creating a new user associated with that domain to send outbound messages to the target tenant.
The attack chain observed in this activity relies on token theft techniques for initial access, as well as authentication spear-phishing, password spray, brute force, and other credential attacks. Additionally, the threat actor targets users with passwordless authentication configured on their accounts, asking them to enter a code displayed during the authentication flow into the Microsoft Authenticator app on their mobile devices.
In a comment to Hackread.com, Mike Newman, CEO of My1Login said “This is a highly sophisticated phishing scam that would be almost impossible to detect to the untrained eye. Because the attackers were using a legitimate Microsoft domain, it would only have taken a very curious and security-savvy user to investigate the prompts further and realise they were fake.”
Mr. Newman advised that “Businesses need to take their own remediation action against these threats and one of the best ways to do this is by removing passwords and credentials from users’ hands. This means even when highly sophisticated scams do reach user inboxes, users can’t be tricked into handing over their credentials because they simply do not know them.”
“Removing credentials and passwords from users can be achieved by implementing modern Identity Management solutions, which improve security but also remove cumbersome security checks within the enterprise to enhance the user experience and increase operational efficiency,” added Mr. Newman.
Nevertheless, Microsoft has taken measures to mitigate the use of these domains by Midnight Blizzard and is actively investigating the campaign to remediate its impact. The company has directly notified targeted or compromised customers to help them secure their environments.
In response to this latest attack, Microsoft recommends several mitigations to reduce the risk of falling victim to such social engineering campaigns:
- Pilot and deploy phishing-resistant authentication methods for users.
- Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users accessing critical apps.
- Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked for chat and meetings.
- Enable Microsoft 365 auditing to investigate audit records if required.
- Select the best access settings for external collaboration.
- Allow only known devices that adhere to Microsoft’s recommended security baselines.
- Educate users about social engineering and credential phishing attacks, cautioning them against entering MFA codes sent via unsolicited messages.
- Train Microsoft Teams users to verify the “External” tagging on communication attempts from external entities and to be cautious about sharing sensitive information or authorizing sign-in requests over chat.
- Encourage users to review sign-in activity and report suspicious sign-in attempts.
By adhering to these best practices, organizations can strengthen their defences against social engineering attacks and minimize the risk of unauthorized access to critical resources.
RELATED ARTICLES
- Check Point: Microsoft the Most Phished Brand in Q2 2023
- NodeStealer 2.0 Poses as ‘Microsoft’ to Hack Browser Data
- Microsoft Teams Flaw Sends Malware to Employees’ Inboxes
- Microsoft Message Queuing Service Exposed to DoS Attacks
- Microsoft sued for alleged misuse of stolen Dark Web credentials
- Microsoft-Signed Drivers Helped Hackers Breach System Defenses