Français
Deutsch
Español
Italiano
Português
日本語
한국어
Русский
Over $4K Worth Of Landscaping Equipment Stolen From Truck: Darien PD
Aug 18, 2023Best Hedge Trimmers of 2023
Aug 16, 2023Electric Hedge Trimmer Market Analysis Report by Marketing Strategy, Promotions, New Product Launches and Emerging Trends by 2033
Aug 06, 2023DR Power Commercial Field and Brush Mower Review XD26
Jul 17, 2023Bleeding Heartland
Jul 07, 2023Russian cyberspies defeat Microsoft number
Jun 25, 2023Spear-phishing attacks by the Midnight Blizzard advanced persistent threat group targeted Microsoft 365 tenants of small businesses.
A Russian state-run cyberespionage group known as APT29 has been launching phishing attacks against organizations that use fake security messages over Microsoft Teams in an attempt to defeat Microsoft’s two-factor authentication (2FA) push notification method that relies on number matching. “Our current investigation indicates this campaign has affected fewer than 40 unique global organizations,” Microsoft said in a report. “The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.”
Midnight Blizzard is Microsoft’s newly designated name for APT29, a threat group that has been operating for many years and is considered by the US and UK governments to be the hacking arm of Russia's foreign intelligence service, the SVR. APT29, also known in the security industry as Cozy Bear or NOBELIUM, was behind the 2020 SolarWinds software supply chain attack that impacted thousands of organizations worldwide, but was also responsible for attacks against many government institutions, diplomatic missions and military industrial base companies from around the world over the years.
APT29 gains access to systems and networks using a large variety of methods including through zero-day exploits, by abusing trust relationships between different entities inside cloud environments, by deploying phishing emails and web pages for popular services, through password spray and brute-force attacks, and through malicious email attachments and web downloads.
The latest spear-phishing attacks detected by Microsoft started in May and were likely part of a larger credential compromise campaign that first resulted in the hijacking of Microsoft 365 tenants that belonged to small businesses. Microsoft 365 tenants get a subdomain on the generally trusted onmicrosoft.com domain, so the attackers renamed the hijacked tenants to created subdomains with security and product related names to lend credibility to the next step in their social engineering attack.
The second step involved targeting accounts in other organizations for which they already obtained credentials or who had a passwordless authentication policy enabled. Both of these account types have enabled multi-factor authentication though what Microsoft calls number matching push notifications.
The 2FA push notification method involves users receiving a notification on their mobile device through an app in order to authorize a login attempt. It is a common implementation with many websites, but attackers started exploiting it with what is known as 2FA or MFA fatigue — an attack tactic that involve spamming a user whose credentials have been stolen with continuous push authorization requests until they think the system is malfunctioning and accept it, or worse, spamming users with 2FA phone calls in the middle of the night for those who have this option enabled.
Another common way to implement 2FA is by having the website require a code generated by an authenticator app on the user’s phone. However, attackers have found ways to bypass that method, too, by implementing phishing pages that act as reverse proxies between the user and the target website or service.
In response to these sort of attacks, Microsoft implemented another 2FA method that involves Microsoft websites sending a push notification to the Microsoft Authenticator app on the user’s mobile device that prompts the user to input a number inside the app. This number is displayed by the website during the authentication process. This method is called number matching and was made the default method for all Microsoft Authenticator push notifications starting May 8.
Now if an attacker tries to authenticate with a user’s stolen credentials, the user will be prompted in their Microsoft Authenticator app to input a number to complete the 2FA process, but the user doesn’t know the number displayed by the website because it’s not them who initiated the authentication in their browser. So APT29 set out to defeat this new challenge.
The way they achieved that was by contacting the targeted users over Microsoft Teams from accounts created under the onmicrosoft.com subdomains that they set up on the hijacked Microsoft 365 tenants. For example, victims saw Teams chat requests such as “Microsoft Identity Protection (External) wants to chat with you” coming from [email protected].
If the contact request was accepted, this was followed by a message telling the victim that changes were detected to the multi-factor authentication settings on their accounts and that they needed to open their Microsoft Authenticator app and type a certain number to help verify their identity. Of course, the number was the one that the attackers received from the Microsoft website and was needed to bypass the two-factor authentication to access the account.
“The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant,” Microsoft researchers said. “In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.”
Microsoft’s recommendations for organizations to mitigate these attacks include: