Researchers have disrupted an operation attributed to the Russian state-sponsored threat group Midnight Blizzard, which sought access to Microsoft 365 accounts and data.
Also known as APT29, the hacker group compromised websites in a watering hole campaign to redirect selected targets "to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow."
The Midnight Blizzard threat actor has been linked to Russia’s Foreign Intelligence Service (SVR) and is well-known for its clever phishing methods that recently impacted European embassies, Hewlett Packard Enterprise, and TeamViewer.
Random target selection
Amazon’s threat intelligence team discovered the domain names used in the watering hole campaign after creating an analytic for APT29's infrastructure.
An investigation revealed that the hackers had compromised multiple legitimate websites and obfuscated malicious code using base64 encoding.
By using randomization, APT29 redirected roughly 10% of the compromised website’s visitors to domains that mimic Cloudflare verification pages, like findcloudflare[.]com or cloudflare[.]redirectpartners[.]com.
Malicious JavaScript that redirects to attacker-controlled domains
Source: Amazon
As Amazon explains in a report on the recent action, the threat actors used a cookies-based system to prevent the same user from being redirected multiple times, reducing suspicion.
... continue reading