Microsoft said on Thursday that the Russian state-sponsored threat actors responsible for a cyberattack on its systems in late November 2023 have targeted other organizations, and that it is now starting to notify them.
The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a team of hackers tracked as APT29also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium) and The Dukes.
“This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the United States and Europe,” the Microsoft Threat Intelligence team said in a new advisory .
The main objective of these spy missions is to collect sensitive information of strategic interest to Russia by maintaining footholds for long periods of time without attracting any attention.
The latest revelations indicate that the reach of the campaign may have been greater than previously thought. The tech giant, however, did not reveal which other entities were spotted.
APT29 operations involve the use of legitimate but compromised accounts to gain and expand access within a target environment and fly under the radar. It is also known to identify and abuse OAuth applications to move laterally across cloud infrastructures and for post-compromise activities, such as email harvesting.
“They use multiple initial access methods ranging from stolen credentials to supply chain attacks, exploiting on-premises environments to move laterally into the cloud, and exploiting service providers’ chain of trust to gain access to downstream customers” , Microsoft noted.
Another notable tactic involves using hijacked user accounts to create, modify, and grant elevated permissions to OAuth applications that they can misuse to hide malicious activity. This allows threat actors to maintain access to applications, even if they lose access to the initially compromised account, the company pointed out.
These malicious OAuth applications are ultimately used to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts to exfiltrate data of interest.
In the November 2023 incident targeting Microsoft, the threat actor used a password spray attack to successfully infiltrate a legacy, non-production, test tenant account that did not have authentication enabled. multiple factors (MFA).
These attacks are launched from a distributed residential proxy infrastructure to hide their source, allowing the threat actor to interact with the compromised tenant and Exchange Online via a vast network of IP addresses also used by legitimate users.
“Midnight Blizzard’s use of residential proxies to obfuscate connections makes detection based on traditional indicators of compromise (IoC) impossible due to the high rate of IP address switching,” Redmond said, making it necessary for organizations take measures to defend against unauthorized OAuth applications and password spraying. .