Categories
News

Russian APT group Midnight Blizzard targets more than 40 companies globally using Microsoft Teams

Russian APT group Midnight Blizzard targets
Home » News » Russian APT group Midnight Blizzard targets more than 40 companies globally using Microsoft Teams

Russian APT group Midnight Blizzard targets more than 40 companies globally using Microsoft Teams

Microsoft clients are being targeted worldwide by a Russian APT group known as Midnight Blizzard, earlier known as Nobelium. To date, over 40 victims have been targeted globally. Most of the clients belonged to the small business. The attackers mainly targeted customers of Microsoft Office 365, stealing their account credentials and recreating them as genuine technical support entities.

By using social engineering, it engages users seeking approval for their Multi-Factor Authentication (MFA) requests. Many experts speculate that this is one of the many attempts of cyber espionage where they are collecting sensitive information of secretive nature from businesses globally.

The group suspected to be behind it, Midnight Blizzard, is known to engage in cyber espionage activities aimed at government entities,non-government entities, and IT service providers in the US and other countries in Europe. Their main aim was to collect useful intel for the Russian Federation.

How does it work?

The following are some ways through which the attack works:

  • First, it enters the organizational environment using credential theft and social engineering techniques.
  • The attacker uses phishing and credential theft techniques – whaling, spear phishing, password spray, and brute force attacks to steal credentials from Microsoft Teams.  
  • They use compromised Microsoft accounts to orchestrate social engineering attacks by creating a seemingly genuine domain with relevant keywords based on Microsoft products.
  • They target users with weak security measures for their accounts and users with passwordless configuration settings.
  • The attackers may pretend to be someone from Microsoft support or someone from the security team and send malicious requests or login into their account with requests sent to their Authenticator application.
  • The attacker may add a device to the organization with Entra ID and reconfigure access policies to restrict access to resources to managed devices.
  • Upon receipt of the request the user is prompted to enter a code in their Microsoft Authenticator account and when they enter the code their account is breached.

SharkStriker’s recommendation for Microsoft Teams-based phishing attacks

  • Use a strong password policy 
  • Mandate two-factor authentication
  • Disable external access/communication with other tenants from Admin side
  • Admin must verify unknown external requests against whitelisted domains
  • Periodic posture assessment of Microsoft Office 365 
  • Enable real time scanning on Microsot Defender for Office 365

Latest News

All
News