The Russian state-sponsored hackers behind the SolarWinds attacks are back again, now using the Microsoft Teams application to mount targeted campaigns aimed at stealing Microsoft 365 passwords, and pivoting into organizations’ Azure Active Directory environments and beyond.
Microsoft flagged the activity on Thursday, noting that the Midnight Blizzard advanced persistent threat (aka Nobelium, APT29, UNC2452, and Cozy Bear) has so far gone after around 40 government organizations, nongovernmental organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors globally.
But there are other victims, too. To carry out the attack, Midnight Blizzard is using compromised Microsoft 365 tenants, mainly small businesses, Redmond noted. Microsoft 365 has become a popular target for nation-state threats, most recently anchoring a sprawling email breach that affected government agencies in the US.
“The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant,” Microsoft researchers explained in a post. “The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages.”
The cyberattackers are posing as technical support in order to snow users into handing over their Microsoft 365 credentials and multifactor authentication (MFA) prompts.
Once the APT group is able to authenticate as the targeted user, they set about exfiltrating data from Microsoft 365 apps, which include Outlook, Teams, cloud versions of Microsoft Office, and more.
“In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only,” according to the post.
The researchers added, “Midnight Blizzard is consistent and persistent in their operational targeting, and their [cyber-espionage] objectives rarely change.”