Microsoft warns of increasing APT29 spy attacks targeting global organizations

APT29 Espionage Attacks

Microsoft said Thursday that the Russian state-sponsored threat actors responsible for a cyberattack on its systems in late November 2023 have targeted other organizations and that the company is beginning to notify them.

The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had fallen victim to an attack perpetrated by a hacking crew tracked as APT29also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium) and The Dukes.

“This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the US and Europe,” the Microsoft Threat Intelligence team said said in a new opinion.

The primary purpose of these spy missions is to collect sensitive information of strategic importance to Russia by maintaining a foothold for extended periods of time without attracting any attention.

The latest revelation indicates that the scale of the campaign may have been larger than previously thought. However, the tech giant did not reveal which other entities were singled out.

APT29’s activities involve using legitimate but compromised accounts to gain and expand access within a target environment and stay under the radar. It is also known to identify and exploit OAuth applications to move laterally across cloud infrastructures and for post-compromise activities such as email harvesting.

“They use a variety of initial access methods, ranging from stolen credentials to supply chain attacks, exploiting on-premise environments to move laterally to the cloud, and exploiting service providers’ chain of trust to gain access to downstream customers,” said Microsoft.

Another notable tactic is using compromised user accounts to create, modify, and grant high privileges to OAuth applications, which they can abuse to hide malicious activity. This allows threat actors to maintain access to applications even if they lose access to the initially compromised account, the company points out.

These malicious OAuth applications are ultimately used to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts to exfiltrate data of interest.

In the incident that targeted Microsoft in November 2023, the threat actor used a password spray attack to successfully infiltrate an outdated, non-production test tenant account that did not have multi-factor authentication (MFA) enabled.

Such attacks are launched from a distributed residential proxy infrastructure to conceal their origin, allowing the threat actor to communicate with the compromised tenant and with Exchange Online over a vast network of IP addresses also used by legitimate users.

“Midnight Blizzard’s use of residential proxies to obfuscate connections makes traditional indicators of compromise (IoC)-based detection infeasible due to the high switching rate of IP addresses,” Redmond said, making it imperative that organizations take steps to defend against rogue OAuth applications and password spouting. .

#Microsoft #warns #increasing #APT29 #spy #attacks #targeting #global #organizations

Notify of
Inline Feedbacks
View all comments
Previous Post
Malicious Ads on Google

Malicious ads on Google target Chinese users with fake messaging apps

Next Post
Russian TrickBot Mastermind

Russian TrickBot Mastermind gets 5 years in prison for cybercrime

Related Posts