Cyber Security Threat Summary:
In a series of Twitter posts last week, Microsoft stated that it has observed an uptick in credential-stealing attacks from Midnight Blizzard (aka Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes), a notorious Russian state-affiliated hacker group that was behind the 2020 SolarWinds attack. The latest intrusions are using a variety of password spray, brute force, and token theft techniques, with the group also conducting session replay attacks to gain initial access to cloud resources leveraging stolen sessions. Targets highlighted by Microsoft include governments, IT service providers, NGOs, the defense industry, and critical manufacturing.

It is interesting to note that the actors are using residential proxy services to obfuscate the source of their attacks. According to Microsoft, “the use of low-reputation IP addresses like those from residential proxy services helps obfuscate threat actor connections using compromised credentials. The threat actor likely used these IP addresses for very short periods, which could make scoping and remediation challenging.”

Security Officer Comments:
Residential proxies have become popular amongst cybercriminals as they are connected to residential internet connections and therefore are less likely to be identified as abnormal by website defenses. These proxies are obtained by threat actors by hacking legitimate residential devices such as modems or other IoTs or through malware that converts a home user's computer into a proxy without their knowledge. By using these devices, threat actors can also automate credential-stuffing attacks, with bots attempting to log in across numerous sites using previously stolen login credentials.

Suggested Correction(s):
Organizations should implement multi-factor authentication as this adds an additional layer of protection against credential-stuffing attacks. It’s also important to implement unique and strong passwords, as threat actors are known for launching brute-force attacks, where they will attempt to crack your credentials by submitting various password combinations until the correct one is found. Rotating passwords on a frequent basis is also key as sometimes these credentials might appear in data breaches, accessible to cybercriminals looking to conduct nefarious activities.

Link(s):
https://thehackernews.com/2023/06/microsoft-warns-of-widescale-credential.html