A Russian state-run cyberespionage group known as APT29 has been launching phishing attacks against organizations that use fake security messages over Microsoft Teams in an attempt to defeat Microsoft’s two-factor authentication (2FA) push notification method that relies on number matching. “Our current investigation indicates this campaign has affected fewer than 40 unique global organizations,” Microsoft said in a report. “The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.”
Midnight Blizzard is Microsoft’s newly designated name for APT29, a threat group that has been operating for many years and is considered by the US and UK governments to be the hacking arm of Russia’s foreign intelligence service, the SVR. APT29, also known in the security industry as Cozy Bear or NOBELIUM, was behind the 2020 SolarWinds software supply chain attack that impacted thousands of organizations worldwide, but was also responsible for attacks against many government institutions, diplomatic missions and military industrial base companies from around the world over the years.
Latest campaign used hijacked Microsoft 365 tenants
APT29 gains access to systems and networks using a large variety of methods including through zero-day exploits, by abusing trust relationships between different entities inside cloud environments, by deploying phishing emails and web pages for popular services, through password spray and brute-force attacks, and through malicious email attachments and web downloads.
The latest spear-phishing attacks detected by Microsoft started in May and were likely part of a larger credential compromise campaign that first resulted in the hijacking of Microsoft 365 tenants that belonged to small businesses. Microsoft 365 tenants get a subdomain on the generally trusted onmicrosoft.com domain, so the attackers renamed the hijacked tenants to created subdomains with security and product related names to lend credibility to the next step in their social engineering attack.
The second step involved targeting accounts in other organizations for which they already obtained credentials or who had a passwordless authentication policy enabled. Both of these account types have enabled multi-factor authentication though what Microsoft calls number matching push notifications.
Number-matching versus device-generated codes
The 2FA push notification method involves users receiving a notification on their mobile device through an app in order to authorize a login attempt. It is a common implementation with many websites, but attackers started exploiting it with what is known as 2FA or MFA fatigue — an attack tactic that involve spamming a user whose credentials have been stolen with continuous push authorization requests until they think the system is malfunctioning and accept it, or worse, spamming users with 2FA phone calls in the middle of the night for those who have this option enabled.
