Microsoft shed light on a previously undocumented cluster of threats that come from an actor associated with Russia Invalid blizzard (AKA Laundry Bear), which, he said, is explained by the “world abuse of the cloud”.
Active, at least April 2024, the hacking group is related to espionage, mainly oriented to organizations that are important for the goals of the Russian government, including state, protection, transportation, media, non -governmental organizations (NGOs) and in the field of health in Europe and North America.
“They often use stolen details that they most likely buy on online market to access organizations” – Note In a report published today. “Once inside, they steal a large number of letters and files.”
The attacks set by the invalid Blizzard have been revealed, disproportionately nominated by NATO and Ukraine states, suggesting that the opponent is seeking to gather exploration for further Russian strategic purposes.
In particular, the actor threats is known to focus on state organizations and law enforcement agencies in the NATO countries, which provide direct military or humanitarian support for Ukraine. It is also said to have organized successful attacks on education, transport and protection of vertical in Ukraine.
This includes a compromise in October 2024. Several accounts of users belonging to the Ukrainian aviation organization previously aimed at Blizzard SeashellThe actor of the threat associated with the Main Intelligence Department of the Russian Staff (GRU) in 2022.
The attacks are characterized as a high -volume situation, which are designed to violate the goals for the Russian government. Initial access methods include unfulfilled methods such as spraying password and stolen authentication credentials.
In some companies, the threatening actor used stolen powers, which are probably derived from the theft of goods available underground for Cybercrime to access exchange and SharePoint on the Internet and the crop and files from the broken organizations.
“The actor threats also in some cases listed the Microsoft Entra Microsoft Entra configuration using Azurehound’s available tool to obtain information about users, roles, groups, applications and devices belonging to this tenant,” Microsoft said.
As recently last month, the Windows manufacturer said she watched as a hacking moving on “more direct methods” to steal passwords, such as sending spear emails that are designed to fool the victims with their information using the enemy in the middle (the middle part (the middle part (the middle partAith) Target pages.
The activity entails the use of print to bring yourself for the Microsoft Entra authentication portal for 20 NGOs in Europe and the US. E -mail messages are said to be from the organizer of the European Protection and Security Summit and contained an attachment of PDF with fake summit invitations.
The true desire of the PDF document is a malicious QR code, which redirects to the domain controlled by the attacker (“Micsrosoftonline (.) Com”), which houses the Phisching Page. Believed that the phishing page is based on the open source Evil Phishing -Complex.
After receiving its initial access, after receiving the initial access, the Exchange abuse on the Internet and Microsoft Graph to list users’ mailboxes and files located in the cloud and then use automation to facilitate the data collection. In some cases, which also say that the threatening subjects appealed to the conversations and messages of Microsoft Teams through the web client app.
“Many of the compromised organizations intersect with the past album, in some cases A forest blizzard. North Blizzardand A secret blizzardsaid Microsoft.
