APT29, a Russian state-run cyberespionage group, has launched a new phishing campaign that targets organizations using Microsoft Teams. The group, also known as Midnight Blizzard, aims to defeat Microsoft’s two-factor authentication (2FA) push notification method by using fake security messages. According to Microsoft, fewer than 40 global organizations have been affected by this campaign, and the targeted organizations include government entities, non-government organizations (NGOs), IT services, technology companies, discrete manufacturing firms, and media sectors.
Midnight Blizzard, or APT29, has a long history of cyberattacks and is considered the hacking arm of Russia’s foreign intelligence service, the SVR. The group was responsible for the infamous SolarWinds software supply chain attack in 2020, which impacted thousands of organizations worldwide. They have also targeted government institutions, diplomatic missions, and military industrial base companies over the years.
To gain access to systems and networks, APT29 employs various tactics, including zero-day exploits, abusing trust relationships in cloud environments, phishing emails and web pages, password spray and brute-force attacks, and malicious email attachments and web downloads.
This recent spear-phishing campaign by Midnight Blizzard began in May and was likely part of a larger credential compromise campaign. The initial step involved hijacking Microsoft 365 tenants belonging to small businesses. By renaming the hijacked tenants and creating subdomains with security and product-related names, the attackers aimed to lend credibility to their social engineering attack.
The second step of the campaign focused on targeting accounts in other organizations for which the attackers had obtained credentials or that had a passwordless authentication policy enabled. Both of these account types had multi-factor authentication enabled, specifically through Microsoft’s number matching push notifications.
The 2FA push notification method requires users to receive a notification on their mobile device through an app to authorize a login attempt. This method is commonly used by many websites to enhance security. However, attackers have started exploiting it by using a tactic known as 2FA or MFA fatigue. This involves spamming stolen credentials with continuous push authorization requests until the user believes the system is malfunctioning and accepts the request. In some cases, attackers even resort to spamming users with 2FA phone calls in the middle of the night.
Microsoft has been actively investigating this campaign and working on mitigating the risks posed by APT29. The company has advised organizations to enable strong security practices, such as regularly updating software and implementing multi-factor authentication with more secure methods, like device-generated codes instead of number-matching push notifications.
It is crucial for organizations to remain vigilant against these types of phishing attacks and continuously educate their employees about the risks associated with opening suspicious emails or clicking on malicious links. By staying proactive in their cybersecurity measures, businesses can better protect themselves from APT29 and other threat actors seeking to exploit vulnerabilities in their systems and networks.
In conclusion, APT29’s recent phishing campaign targeting organizations using Microsoft Teams highlights the ongoing threat posed by state-sponsored cyber espionage groups. By leveraging fake security messages and exploiting vulnerabilities in Microsoft’s 2FA push notification method, the group aims to gain unauthorized access to sensitive information. It is essential for organizations to take proactive measures to enhance their cybersecurity defenses and mitigate the risk of falling victim to such attacks.