1.0 Introduction
A cyberespionage group known as APT29 or Midnight Blizzard has been launching phishing attacks against organizations, by using fake security messages via Microsoft Teams in an attempt to defeat Microsoft’s two-factor authentication (2FA) push notification method that relies on number matching. Based on Microsoft’s report, this campaign has affected fewer than 40 unique global organizations, likely indicate specific espionage objectives by this group directed at the government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
Midnight Blizzard is Microsoft’s newly designated name for APT29, also known in the security industry as Cozy Bear or NOBELIUM, was behind the 2020 SolarWinds software supply chain attack that impacted thousands of organizations worldwide. This group was also responsible for attacks against many government institutions, diplomatic missions and military industrial base companies worldwide.
2.0 Impact
Post-compromise activity by the threat actor, typically involves information theft from the compromised Microsoft 365 tenant.
3.0 Techniques, Tactics and Procedures (TTPs)
In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.
After the threat actor attempted to authenticate to an account, where this form of MFA is required, the threat actor is then presented with a code that the targeted user would need to enter in their authenticator app on their smartphones. The targeted user receive the prompt for code entry on their device or smartphone. The threat actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device. The targeted users believe the message is unsuspiciously from Microsoft and enters the code given by the threat actor onto their devices or smartphones.
Step 1: Teams request to chat
The targeted user receive a Microsoft Teams message request from an external user masquerading as a Microsoft technical support or security team.
Figure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account
Step 2: Request authentication app action
If the targeted user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on targeted user’s mobile device.
Figure 2: A Microsoft Teams prompt with a code and instructions.
Step 3: Successful MFA authentication
If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.
The threat actor then proceeds to conduct a post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organisation as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.
4.0 Indicators of Compromise
| Indicator | Type | Description |
msftprotection.onmicrosoft[.]com
| Domain name | Malicious actor-controlled subdomain
|
identityVerification.onmicrosoft[.]com
| Domain name | Malicious actor-controlled subdomain
|
accountsVerification.onmicrosoft[.]com
| Domain name | Malicious actor-controlled subdomain
|
azuresecuritycenter.onmicrosoft[.]com
| Domain name | Malicious actor-controlled subdomain
|
teamsprotection.onmicrosoft[.]com
| Domain name | Malicious actor-controlled subdomain
|
Table 1: Indicators of Compromise (Malicious Domain names used in the attack)
Figure 3: Message sent by the threat actor
5.0 Recommendations
Microsoft recommends the following mitigations to reduce the risk of this threat:
- Pilot and start deploying phishing-resistant authentication methods for users.
- Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
- Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
- Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
- Understand and select the best access settings for external collaboration for your organization.
- Allow only known devices that adhere to Microsoft’s recommended security baselines.
- Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
- Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and , and never share their account information or authorize sign-in requests over chat.
- Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
- Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
- Always remember never to simply share credentials and personal information over the Internet.
- Report to relevant authorities or CERTs on detecting suspicious activities on the Internet or on your devices.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
6.0 References