At a glance.
- Russian threat actor abuses Microsoft Teams chats.
- CrowdStrike's Threat Hunting Report.
- Cybersecurity and sports.
- Akamai looks at the current state of ransomware.
Russian threat actor abuses Microsoft Teams chats.
Microsoft describes a "highly targeted" social engineering campaign attributed to the Midnight Blizzard threat actor (also known as "Cozy Bear" or "APT29," a threat actor associated with Russia's Foreign Intelligence Service). The threat actor is abusing Microsoft Teams chats to send phishing lures designed to steal credentials: "In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts."
The campaign has targeted fewer than forty organizations in the "government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors." Microsoft believes the goal of the campaign is cyberespionage.
CrowdStrike's Threat Hunting Report.
Crowdstrike's 2023 Threat Hunting Report outlines a 583% increase in the Kerberoasting identity-based attack technique over the past year:
"Windows devices use the Kerberos authentication protocol, which grants tickets to provide users access based on service principal names (SPNs). Kerberoasting specifically involves the theft of tickets associated with SPNs. These tickets contain encrypted credentials that can be cracked offline using brute-force methods to uncover the plaintext credentials.
"Kerberoasting is a beneficial technique for adversaries because it targets an SPN associated with an Active Directory account, and because these SPNs are often tied to service accounts, they will usually have higher privileges and allow the adversary to extend their reach and gain access to sensitive files or systems. Additionally, these attacks can be challenging to detect because Kerberos activity is so prevalent in everyday telemetry, which allows adversaries to blend into the noise."
The researchers note that the VICE SPIDER cybercriminal group was behind 27% of Kerberoasting attacks in 2023.
Cybersecurity and sports.
Microsoft has published a report looking at threats to sporting associations and entertainment venues. The researchers write, "Information on athletic performance, competitive advantage, and personal information is a lucrative target. Unfortunately, this information can be vulnerable at-scale, due to the number of connected devices and interconnected networks in these environments. Often this vulnerability spans multiple owners, including teams, corporate sponsors, municipal authorities, and third-party contractors. Coaches, athletes, and fans can also be vulnerable to data loss and extortion."
"George McGregor, Vice President at Approov, commented, "A key element are the apps which are launched for events (for example the FIFA Women's World Cup app - 10M+ downloads on Android) which are intended to be a "one-stop shop" for events. Unless they are protected, they can leak personal financial data and also be a source of other information which can be used in broader infrastructure attacks."
Amit Patel, SVP at Cyware, noted, "Anytime you gather tens of thousands of people together using shared infrastructure it's an attractive target for attackers. Major sports leagues are realizing that they need to address security collectively - not relying on local capabilities. By monitoring threats globally, and sharing intel automatically across leagues and venues, and anticipating attacks, we can reduce risks considerably."
Akamai looks at the current state of ransomware.
Akamai has published a report looking at the ransomware landscape in 2023. The researchers found that the “rampant abuse of zero-day and one-day vulnerabilities in the past six months led to a 143% increase in victims when comparing Q1 2022 with Q1 2023.” Akamai also notes, “Ransomware groups now increasingly target the exfiltration of files, which has become the primary source of extortion, as seen with the recent exploitation of GoAnywhere and MOVEit. This underscores the fact that file backup solutions, though effective against file encryption, are no longer a sufficient strategy.”