Abuse of residential proxy services, password spray key to Midnight Blizzard attacks, warns Microsoft — here's what that means for you

News
By Sead Fadilpašić
published

Recent attack on HPE was just the beginning, Microsoft warns.

A digital representation of a lock
(Image credit: Altalex)

The recent Midnight Blizzard attacks on Microsoft and HPE may be just the beginning, with the Russian threat actors are already targeting more global organizations, the former has warned.

In its detailed breakdown of the threat actor and the attack on its infrastructure, the Microsoft Threat Intelligence team noted, "This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the U.S. and Europe."

Midnight Blizzard, also known as Nobelium, APT29, or Cozy Bear, is on the prowl for sensitive data that can be of use to the Russian government, Microsoft added, noting  the campaign is bigger than originally thought, and that other firms are being targeted, as well.

Abusing compromised accounts

To move into corporate infrastructure, Midnight Blizzard uses compromised accounts and OAuth applications. The Russians would use compromised accounts to grant high permissions to OAuth applications. This allows them to maintain access even if the victim spots the attack and updates the login credentials. Their first target is always the email inbox, where they look for important correspondence. 

"They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, and exploitation of service providers' trust chain to gain access to downstream customers," it was stated in the report.

Less than a week ago, news broke that Microsoft’s highly-positioned individuals, including senior executives and those working in cybersecurity and legal departments, were targeted. The attackers, Midnight Blizzard, were allegedly able to steal “some emails and attached documents” related to themselves. 

Soon afterward, HPE also said its emails were targeted and a small percentage of them accessed.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.