Russian Hackers Conducting Widescale Credential-Stealing Attacks, Warns Microsoft

June 26, 2023

Microsoft has issued a warning regarding a significant increase in credential-stealing attacks being carried out by the Russian state-affiliated hacker group, Midnight Blizzard. This group, also known under the names Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes, is known for its role in the SolarWinds supply chain compromise in December 2020. The group has been targeting governments, IT service providers, NGOs, defense, and critical manufacturing sectors.

The hackers have been using residential proxy services to hide the source IP address of the attacks. They have also been using a variety of techniques, including password spray, brute-force, and token theft, to conduct these attacks. Microsoft noted in a series of tweets that the group has also been conducting session replay attacks to gain initial access to cloud resources, likely using stolen sessions acquired through illicit sale.

The tactics used by APT29 include routing malicious traffic through residential proxy services to hide connections made using compromised credentials. Microsoft highlighted the challenge in scoping and remediation due to the short-term use of these IP addresses by the threat actor.

In related news, Recorded Future detailed a spear-phishing campaign conducted by another Russian hacker group, APT28, also known as BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear. This group has been targeting government and military entities in Ukraine since November 2021. The attacks involved emails with attachments exploiting multiple vulnerabilities in the open-source Roundcube webmail software (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to gather data and conduct reconnaissance. Successful breaches allowed the hackers to deploy rogue JavaScript malware that redirected incoming emails of targeted individuals to an email address under the attackers' control and steal their contact lists.

The spear-phishing emails used by APT28 were designed to exploit recipients, with subject lines and content mirroring legitimate media sources related to Ukraine. The group has also been linked to attacks exploiting a then-zero-day flaw in Microsoft Outlook (CVE-2023-23397) that was used in limited targeted attacks against European organizations. This vulnerability was patched in Microsoft's March 2023 updates.

These findings highlight the persistent efforts by Russian threat actors to gather valuable intelligence on various entities in Ukraine and across Europe, particularly following Russia's full-scale invasion of Ukraine in February 2022. The cyberwarfare operations targeting Ukraine have been marked by the widespread deployment of wiper malware designed to delete and destroy data, marking one of the earliest instances of large-scale hybrid conflict. Recorded Future concluded that BlueDelta will almost certainly continue to target Ukrainian government and private sector organizations to support wider Russian military efforts.

Related News

• CISA Updates Known Exploited Vulnerabilities Catalog with Six New Flaws
• Zero-Click Windows Vulnerability Allows NTLM Credential Theft
• Microsoft Offers Guidance on Detecting Outlook Zero-Day Exploits
• Microsoft Warns of Outlook Zero-Day Exploitation, Offers Detection Script
• Microsoft Outlook Vulnerability Exploited in NTLM-Relay Attacks

Latest News

• Critical Vulnerability in miniOrange Social Login WordPress Plugin Exposes User Accounts
• Massive Data Breach at NYC Department of Education: 45,000 Students' Data Stolen
• China-Linked APT Group VANGUARD PANDA Employs New Techniques in Recent Cyber Attacks
• Critical Authentication Bypass in Grafana Due to Azure AD Integration
• NSA Warns Patching Insufficient to Thwart BlackLotus BootKit Attacks