Microsoft has announced Thursday that cyber criminals who were sent from Russia, responsible for a cyber attack to its systems at the end of November 2023, have targeted other organizations and that Microsoft itself is currently starting to inform them, about a hacker group known as APT29.
What Microsoft says about the Russian hacker group APT29
The development comes a day after Hewlett Packard Enterprise (HPE) has revealed of having been the victim of an attack perpetrated by a group of hackers identified as APT29, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.
“This cybercriminal group is known to mainly target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, mainly in the United States and Europe“, has declared Microsoft's threat intelligence team in a new advisory.
The main objective of these spy missions is collect sensitive information of strategic interest to Russia by holding positions for prolonged periods without attracting the attention of cybersecurity experts.
The recent disclosure indicates that the reach of the campaign may have been broader than initially thought; However, the tech giant did not disclose which other entities were targeted.
APT29 operations involve the use of legitimate accounts (legitimate accounts, basically means stolen accounts) but compromises to gain and expand access within a target environment and go unnoticed; it is also known to identify and abuse OAuth applications to move laterally across cloud infrastructures and for post-compromise activities, such as email harvesting.
“They use multiple initial access methods ranging from stolen credentials to supply chain attacks, leveraging on-premises environments to move laterally to the cloud and leveraging service providers' chain of trust to gain access to downstream customers“, Microsoft announced.
Another notable tactic involves using hacked user accounts to create, modify and grant high permissions to OAuth applications that can be used to hide malicious activity; therefore all this enables cyber criminals to maintain access to applications, even if they lose access to the initially compromised account, the company stressed.
These malicious OAuth applications are eventually used to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts to extract data of interest.
In the incident targeting Microsoft in November 2023, the hacker group in question (APT29) used an attack of password spray to successfully infiltrate a legacy, non-production test tenant account that did not have two-factor authentication (MFA) enabled.
Similar attacks are launched from a distributed residential proxy infrastructure to hide their origins, allowing the hacker group to interact with the compromised tenant and Exchange Online through a vast network of IP addresses also used by legitimate users.
“Midnight Blizzard's use of residential proxies to obfuscate connections makes detection based on traditional indicators of compromise (IoC) impractical due to the high rate of IP address switching“Redmond said, highlighting the need for organizations to take measures to defend against fraudulent OAuth applications and password spray attacks.
#APT29 #Microsoft #warns #Russian #hacking #group
