January 26, 2024 at 01:21AM
Microsoft has reported that Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 are now targeting other organizations. The group, known as APT29 or BlueBravo, primarily targets governments, diplomatic entities, and IT service providers in the U.S. and Europe. They utilize legitimate but compromised accounts and breached user accounts to gain access and exfiltrate data. Organizations are advised to defend against rogue OAuth applications and password spraying.
From the meeting notes, key takeaways include:
1. Microsoft reported that Russian state-sponsored threat actors responsible for a cyber attack in November 2023 are now targeting other organizations, primarily in the U.S. and Europe, focusing on governments, diplomatic entities, NGOs, and IT service providers.
2. The threat actor, APT29, utilizes diverse initial access methods, such as stolen credentials and supply chain attacks, and exploits OAuth applications to move laterally across cloud infrastructures. They also use residential proxies to obfuscate connections, making traditional detection methods infeasible, and misuse OAuth applications to hide malicious activity.
3. The attack on Microsoft involved a password spray attack to infiltrate a legacy, non-production test tenant account that lacked multi-factor authentication.
4. Organizations are advised to take steps to defend against rogue OAuth applications and password spraying due to the threat actor’s tactics.
These points highlight the sophisticated tactics used by the threat actor and the need for heightened security measures to counter their methods.