|
Activity profile: Midnight Blizzard conducts targeted social engineering over Microsoft Teams. Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM).
|
|
Activity profile: Secret Blizzard targets defense sector in Ukraine and Eastern Europe. Since February 2023, Microsoft has identified ongoing targeted attacks against the defense sector in Ukraine and Eastern Europe by the threat actor Secret Blizzard (KRYPTON, UAC-0003) leveraging DeliveryCheck, a novel .NET backdoor used to deliver a variety of second stage payloads. |
|
Activity profile: Midnight Blizzard targets diplomatic, NGOs, and humanitarian organizations in global spear phishing activity. Midnight Blizzard shifted the focus of spear phishing activities in early May 2023 to targeting the diplomatic missions of governments, non-governmental organizations (NGOs), and humanitarian organizations that support Ukraine and/or took part in other aspects of the conflict, such as aiding refugees, investigating human rights, or providing financial support. |
|
Threat overview: Adversary-in-the-middle credential phishing. Adversary-in-the-middle (AiTM) attacks have long been used by threat actors to steal credentials and personal data or to deliver malware. Open source, free to use phishing kits with AiTM capabilities have been available since 2017, but AiTM capabilities were not commonly paired with large-scale phishing campaigns until 2021. In 2022 the technique became common, replacing more traditional forms of credential phishing. Cybercriminals currently use AiTM phishing techniques to bypass multifactor authentication (MFA) protections at scale. These advanced techniques are democratized and proliferated through the phishing-as-a-service (PhaaS) cybercrime economic model, which has spawned several service offerings since 2021. |
|
Peach Sandstorm password sprays targets. Since February 2023, Microsoft has observed a high volume of password spray attacks attributed to Peach Sandstorm (HOLMIUM), an Iranian nation-state group known to target organizations with ties to the United States or Saudi Arabia.
|
|
Actor profile: Mustard Tempest. The actor that Microsoft tracks as Mustard Tempest (DEV-0206) is a financially motivated cybercriminal group that provides initial access to ransomware operators, such as Manatee Tempest (DEV-0243). Mustard Tempest infects its targets through drive-by scenarios using FakeUpdates (also known as SocGholish) malware.
|
|
Actor profile: Periwinkle Tempest. The actor Microsoft tracks as Periwinkle Tempest (DEV-0193, also known as Trickbot LLC or Conti LLC) is a prolific criminal group that encompasses multiple subgroups including operators, tooling, development, and management of several of the most impactful ransomware as a service (RaaS) and backdoor ecosystems.
|
|
Actor profile: Storm-1285. Microsoft tracks Storm-1285 as the actor group responsible for the development, support, and sale of the Hades phishing kit. Hades has adversary-in-the-middle (AiTM) capabilities, which can bypass multifactor authentication (MFA) protections.
|
|
Actor profile: Twill Typhoon. The threat actor Microsoft tracks as Twill Typhoon (TANTALUM) is a nation-state activity group based out of China. Twill Typhoon is known to primarily target government-related organizations in Europe, East Asia, and Africa. Twill Typhoon focuses on espionage.
|