Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

CSO

Russia's Cozy Bear is back and hitting Microsoft Teams to phish top targets

Plus: Tenable CEO blasts Redmond's bug disclosure habits

Jessica Lyons Hardcastle Thu 3 Aug 2023  //  21:24 UTC

An infamous Kremlin-backed gang has been using Microsoft Teams chats in attempts to phish marks in governments, NGOs, and IT businesses, according to the Windows giant.

In its latest crime spree, a crew that Microsoft Threat Intelligence now tracks as Midnight Blizzard uses previously compromised Microsoft 365 tenants to create domains that masquerade as organizations offering tech support. The gang then uses these domains to send Teams chat messages to targets in hope they follow links to webpages that phish their credentials – trick victims into entering their login details, basically.

Microsoft used to call this group Nobelium, while other security researchers track the Russian gang as APT29 or Cozy Bear. This group, which has been linked to Russia's Foreign Intelligence Service, is the crew accused of compromising the Democratic National Committee before the 2016 election and pulled off the SolarWinds supply chain attack.

"Our current investigation indicates this campaign has affected fewer than 40 unique global organizations," Redmond said in a write-up.

"The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors."

As with any phishing campaign, this one starts with a lure — someone from outside the victim's organization claiming to be from tech support or a security team. If the victim OKs the miscreants' request to chat, the phisher then tries to trick their mark into entering a code into the Microsoft authenticator app on their mobile device, giving the criminal a token to authenticate as the victim and take over the user's 365 account to pillage the information within.

The hits keep on coming

In other Microsoft security news, Tenable CEO Amit Yoran said his research team discovered a critical Microsoft Azure vulnerability — and he also lambasted Redmond for the IT giant's "grossly irresponsible, if not blatantly negligent" vulnerability reporting habits.

This isn't the first time Yoran has roared at Microsoft for taking its sweet time to plug Azure holes.

This bug, which the Tenable team spotted and reported to Microsoft on March 30, allowed "limited, unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets)."

"The last validation was Monday. And it now appears that it's either fixed, or we are blocked from testing," Yoran told The Register. "We don't know the fix, or mitigation, so hard to say if it's truly fixed, or Microsoft put a control in place like a firewall rule or ACL to block us. When we find vulns in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn't happen, so it's a black box, which is also part of the problem. The 'just trust us' lacks credibility when you have the current track record."

Microsoft told The Register that the issue has now been corrected for all customers.

"We appreciate the collaboration with the security community to responsibly disclose product issues," a spokesperson said. "Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption."

"In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only," Microsoft's threat intel team explained.

Microsoft also provided guidance to help organizations identify users targeted by these Teams phishing lures, as well as a list of subdomains controlled by Midnight Blizzard.

While we applaud Redmond for getting out ahead of the latest criminal efforts to compromise accounts, the timing is unfortunate as the Windows giant is already fighting several other security fires affecting its products and users.

In July Microsoft admitted that Chinese spies broke into Exchange Online email accounts, including those belonging to the US Department of State and the US Department of Commerce. 

Last week, US Senator Ron Wyden (D-OR) blamed Microsoft in scathing terms for the incident and demanded three separate government agencies launch investigations and hold Redmond responsible for "negligent cybersecurity practices."

Then on Wednesday the US House Committee on Oversight and Accountability opened an investigation into the Chinese cyber snooping on government agencies. 

In separate letters sent to Secretary of State Antony Blinken [PDF] and Secretary of Commerce Gina Raimondo [PDF], whose Microsoft email account was among those compromised, the lawmakers said the government break-ins "reflects a new level of skill and sophistication from China's hackers."

"The incident even raises the possibility that Chinese hackers may be able to access high-level computer networks and remain undetected for months if not years," the letters continue.

The elected officials requested staff briefings with both federal agencies "as soon as possible but no later than August 9," and said they want to know details about the discovery and impact of the intrusion, how each department responded, and what they are doing to prevent future failings. ®
Send us news
8 Comments

Fancy Bear goes phishing in US, European high-value networks

GRU-linked crew going after our code warns Microsoft - Outlook not good

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Russians are coming! Err, they've already infiltrated UK, US inboxes

Hollywood plays unwitting Cameo in Kremlin plot to discredit Zelensky

Microsoft spots surge in pro-Russia exploits of video platform to spread propaganda

Microsoft issues deadline for end of Windows 10 support – it's pay to play for security

Limited options will be available into 2028, for an undisclosed price

Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

Akamai says it reported the flaws to Microsoft. Redmond shrugged

Ukraine cyber spies claim Putin's planes are in peril as sanctions bite

Aeroflot fleet still has a smoking section, but not for tobacco

Google submits complaints about Microsoft licensing to UK competition regulator

Now Microsoft has regulator breathing down its neck in three regions

Belgian man charged with smuggling sanctioned military tech to Russia and China

Indictments allege plot to shift FPGAs, accelerometers, and spycams

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

2.5M patients infected with data loss in Norton Healthcare ransomware outbreak

AlphV lays claims to the intrusion

Hershey phishes! Crooks snarf chocolate lovers' creds

Stealing Kit Kat maker's data?! Give me a break

Interpol moves against human traffickers who enslave people to scam you online

Scum lure folks with promises of good jobs in crypto and then won't let them leave