Switch to spear phishing: In recent months the group seems to have pivoted from password spraying to targeted spear phishing attacks that direct users to fake Microsoft Entra login pages using adversary-in-the-middle (AitM) techniques. Such a campaign led to the compromise of 20 NGOs in April.In its campaign against NGOs, Void Blizzard sent emails masquerading as official invitations to the European Defense and Security Summit that will take place next month in Brussels. The emails contained a PDF attachment designed to look like an invitation with a QR code that directed victims to a typosquatted domain name called micsrosoftonline[.]com.”We assess that Void Blizzard is using the open-source attack framework Evilginx to conduct the AitM phishing campaign and steal authentication data, including the input username and password and any cookies generated by the server,” Microsoft researchers wrote in their report. “Evilginx, publicly released in 2017, was the first widely available phishing kit with AitM capabilities.”Following successful access, the hackers leverage legitimate Microsoft cloud APIs such as those from Exchange Online and Microsoft Graph to enumerate user mailboxes and cloud-hosted files. The attackers will download any shared files and folders they have access to and in some cases have also accessed Microsoft Teams conversations and messages through the Teams web application.The AzureHound open-source tool has also been used to collect information about the victim’s Microsoft Entra ID configuration, including information on users, roles, groups, applications, and devices belonging to an Entra tenant.
Mitigation: Microsoft has released several threat hunting queries for Microsoft XDR and Azure Sentinel. However, the company also advises using the Conditional Access policies to implement sign-in risk detections that can trigger automatic access blocks or multi-factor authentication requests.”Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey,” the company advised. “Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.”Centralizing identity management in a single platform for both cloud and on-premises environments and logging the data to a SIEM can help organizations analyze and detect suspicious activity. Implementing proper credential hygiene and principles of least privilege are also very important.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3996192/new-russian-apt-group-void-blizzard-targets-nato-based-orgs-after-infiltrating-dutch-police.html
