The threat actor “Midnight Blizzard” has been increasing their credential attack activity, targeting various sectors including governments, IT service providers, NGOs, the defense industry, and vital manufacturing. To conceal the origin of their attacks, they have been using residential proxy services.
These credential assaults involve several tactics such as password spraying, brute force attacks, and token theft. Microsoft has detected this surge in attack activity and has shared their findings through their Threat Intelligence account on Twitter. They highlight how Midnight Blizzard is using residential proxy services to obfuscate the source of their attacks.
In addition to these tactics, Midnight Blizzard has also carried out session replay attacks by using stolen sessions, possibly obtained through illegal means. This allows them to gain initial access to cloud resources. To further hide their connections made with compromised credentials, they utilize low-reputation IP addresses provided by residential proxy providers.
Microsoft acknowledges the challenges in dealing with these attacks, as the threat actor only uses these IP addresses for short periods, making scoping and remediation efforts more difficult. It is worth noting that this same organization, known as Midnight Blizzard or NOBELIUM, was responsible for the infamous SolarWinds breach in late 2021.
In response to this growing threat, Microsoft has strengthened its defenses. They have introduced strong security features and improved detection capabilities in Microsoft Defender Antivirus, Defender for Endpoint, Defender for Cloud Apps, and Azure Active Directory. These measures aim to better protect against credential attacks and enhance overall cybersecurity.
The use of residential proxy services and low-reputation IP addresses highlights the evolving strategies of threat actors. By concealing their identities and the origin of their attacks, they can continue their malicious activities undetected. This necessitates the need for organizations to remain vigilant and implement robust security measures to defend against these stealthy password attacks.
While Microsoft has taken steps to enhance their security solutions, it is crucial for businesses and individuals to prioritize cybersecurity as well. This includes using strong and unique passwords, enabling two-factor authentication, regularly updating software and applications, and educating employees about potential threats like credential attacks.
As threat actors continue to refine their techniques, organizations must remain proactive in their cybersecurity efforts. By staying informed about the latest threats and implementing comprehensive security measures, they can mitigate the risk of falling victim to credential attacks. Collaborative efforts between cybersecurity experts, technology providers, and law enforcement agencies are also crucial in combating these evolving threats and ensuring a safer digital landscape for all.