Microsoft Warns of COLDRIVER’s Evolving Evading and Credential-Stealing Tactics

Microsoft Warns of COLDRIVER's Evolving Evading and Credential-Stealing Tactics

December 7, 2023 at 10:06AM

The COLDRIVER threat actor, tracked as Star Blizzard by Microsoft and linked to Russia’s FSB, has been targeting entities aligned with Russian interests using advanced credential theft and evasion techniques. They use impersonating domains, email campaigns, and server-side scripts for phishing while avoiding detection. Recently, the U.K. sanctioned two of its members for cyber espionage attempts.

Takeaways from the Meeting:

1. The threat actor COLDRIVER, known for credential theft activities in the interest of Russia, has been improving its detection evasion capabilities.
2. COLDRIVER is tracked by Microsoft as Star Blizzard (also known as SEABORGIUM, Blue Callisto, BlueCharlie, Calisto, and TA446).
3. Star Blizzard targets international affairs, defense logistics supporting Ukraine, academia, security companies, and other entities in line with Russian interests.
4. Linked to the Russian Federal Security Service (FSB), Star Blizzard’s history includes creating fake domains that mimic legitimate company login pages since at least 2017.
5. In August 2023, Recorded Future identified 94 new domains linked to the threat actor, mostly related to IT and cryptocurrency.
6. From April 2023, Microsoft observed the actor moving away from hCaptcha to using server-side scripts to prevent automated scanning and evade detection.
7. The scripts check for browser plugins, automation tools, and then decide to redirect to an hCaptcha or directly to the credential harvesting page on the Evilginx server.
8. Star Blizzard has also been using email marketing services like HubSpot and MailerLite for spear-phishing campaigns that lead to the harvesting server.
9. The group uses DNS providers, password-protected PDF lures, and Proton Drive hosting to bypass email security.
10. The actor’s Domain Generation Algorithm (DGA) has been updated for randomization to avoid detection following public reporting on its tactics.
11. Activities remain focused on stealing email credentials, mainly targeting cloud-based providers, and they use dedicated VPSs for spear-phishing infrastructure.
12. The U.K. government has sanctioned two members of Star Blizzard for cyber operations intended to undermine U.K. organizations and political processes.

Action Items:
– Follow and maintain awareness of the evolving tactics of Star Blizzard.
– Ensure adequate cybersecurity measures are in place for credential protection, especially for entities in the targeted sectors.
– Consider the use of advanced detection and response mechanisms to identify and neutralize such sophisticated threats.
– Stay up-to-date with threat intelligence reports and implement necessary security updates.
– Be aware of the new sanctions and consider their implications for business and security operations.

Full Article