Podcasts
The Microsoft Threat Intelligence Podcast
Ep 68
The Microsoft Threat Intelligence Podcast 5.6.26
Ep 68 | 5.6.26

Russia’s Forest Blizzard Is Abusing Home + Small Office Routers for Cred Theft

Show Notes
Transcript

Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast". I'm???Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come hear from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. What if I told you that the weakest link in your security actually isn't in your enterprise at all? It's at your employees' homes in their routers. And what about if I told you that threat actors aren't breaking in, they're just sitting upstream watching everything? Welcome to the "Microsoft Threat Intelligence Podcast". I'm???Sherrod DeGrippo with Microsoft, and today we are diving into one of the most interesting evolutions we've seen from a well-known Russian-based state actor, Forest Blizzard. I am joined here by my very good friend, I'm very excited about this, Danny Adamitis. He is a distinguished engineer from the Threat Intel Arm of Lumen Technology's Black Lotus Labs. Danny, thank you for joining me. It's good to see you.

Danny Adamitis: Always a pleasure to see you, Sherrod.

Sherrod DeGrippo: Danny and I go way back, but we've never had you on the podcast. I'm so sad.

Danny Adamitis: Well, I mean, this is why we're changing things. We are being that change we want to see in this world.

Sherrod DeGrippo: We are being the change. We have been collaborating across these orgs for a long time to understand how the activity works, how it plays out in the real world. And so let's talk about kind of the modes here. It's not like a quick intrusion situation. It's more patient. It's going for strategic intelligence collection. It's aligned to geopolitical objectives. When you think about this threat actor, Forest Blizzard, what do you think really defines them as who they are, their operations?

Danny Adamitis: I think there's a couple of different really notable things. One is that they are, I would argue, one of the original nation-state APTs that everyone has been tracking for at this point, what, a decade, almost two decades in time? Like, they are one of the original players into the space. The second thing is they have a certain level of brazenness to their operations, which just exhibits a whole lot of "I do not give a darn" energy. So again, it's just really fun to watch them because a lot of threat actors will sometimes, like, see reports and change their TTPs or try to mix things up. These guys are sort of people who are like, no, we're going to double and triple-down on the exact same thing and make you make us do something different. Which is just really fun to watch because again, it's just a very different attitude than we've seen from other people before. And of course, you know, I just always have a soft spot for tracking Russian APTs.

Sherrod DeGrippo: I know you have some certain areas of interest that we talk about and we've worked on together before, so I think this is one of them. How do you see them, like, evolving over time? Because this is, as you mentioned, an actor that's been tracked by the intelligence analyst community for years and years. You know, we've got on the Microsoft blog, going back a couple of years, great intel profiles written out there. What are we seeing in terms of evolving, or are they just kind of sticking to the same playbooks as always? >> So I would say they have the same underlying strategic objectives, but the way in which they do it has just been this constant evolution. So this was something we kind of hit about in our, you know, blog. We've seen them going back to, like, 2021. There was a really famous I think CSA that came out from, like, the NSA, FBI, CISA, where they were doing brute forcing from these Kubernetes instincts. And they were basically just password spraying all of the same targets that we were seeing, and they were having I guess some degree of success with that. And then once they figured out that they can no longer brute-force things because we started to use MFA, that's when they started to harvest those MTLM tokens. And then once they harvested the MTLM tokens and they realized that wasn't working, then we saw them deploy, you know, some malware families like Authentic Antics. And then once that got published, they're now kind of switching it back up to this exact same thing using the DNS hijacking to steal tokens. And here we are almost five years later talking about them still targeting these, you know, Outlook and email services. It's just that they just keep changing their approach to getting that same underlying objective data. What's interesting to me about that is I study a lot of behavior. I'm really into psychology and neurolinguistic programming, and there's a really simple framework developed by Nicholas Boothman called KFC, which is know what you want, find out what you're getting, change what you're doing until you get what you want. And that's really sort of a life philosophy, but I feel like Forest Blizzard has adopted this as their technical operating principle. Just know what you want, see what your results are, and just keep changing until you're getting the results that you need.

Danny Adamitis: Yes, and they have, again, a certain level of persistence, which is not to be understated.

Sherrod DeGrippo: So let's talk about this particular release that we put out recently. It was a pretty big joint collaboration with several organizations, which we appreciate all the partnership. You know, for those of you listening out there that aren't deep in this world, we all love partnering together. Yes, I know, threat actor names are inconsistent across. Yes, we understand that. But the friendship is very consistent across the industry. We really do genuinely partner together and love working with other intel organizations. Let's talk about this particular attack. It's an upstream compromise. It's not inside your network. It's sitting, like, in front of it. And I'll walk listeners through what that looks like. Really simple steps. Compromise a small office, home office router. Those are the ones that everybody has in their house, a lot of small businesses have in their back offices. Compromise that, you modify the DNS settings, you route the traffic now through the actor-controlled infrastructure, and then that gives you passive visibility at really big scale. And once you've got that, you can selectively choose where you want to do attacker-in-the-middle operations. So what makes these routers such an attractive target, Danny?

Danny Adamitis: It's the fact that if you ask your average person, even some of our lovely InfoSec people, what router they have and where is it in your house right now, a lot of people will kind of look at you and go, the Wi-Fi stuff? And I was like, no, the Wi -Fi stuff is supposed to actually be different than the router. These are devices that have just been, at my works, set and forget. You kind of plug it in. And as long as the Wi-Fi is working, no one ever, like, touches them, no one ever power cycles them, no one ever updates them, no one ever really checks them. And they just kind of live out there in perpetuity, which makes them just a very attractive target. Because it is kind of that choke point to the entire internet from everyone behind that particular LAN. So, because it is that kind of critical access point, it gives them really good insight. And because these devices are vulnerable to CVEs from years if not decades ago, it's really cheap and really easy to kind of gain access to them. If I can, we talked about this in one of our other blogs on the side where, you know, we saw them basically hacking some of these SOHO routers that were sitting in front of on-prem, you know, email servers. And at the time, we were looking up, like, Zemodium, if you guys remember them, where they would basically pay you for the CVE. At the time, a CVE for, like, Microsoft Outlook was going for what, a quarter, half a million dollars, or you can hack the router. The CVE for the router was, like, $5,000, and you can just passively PCAP all the SNMP, like, you know, the Port 25 traffic and get the exact same thing for, what, a tenth of the cost?

Sherrod DeGrippo: That's great value. It's a bargain at twice the price. Think of all the money you'll save with doing router --

Danny Adamitis: You're not thinking about the economics. You know, are you thinking about the shareholder value that they're producing for the GRU?

Sherrod DeGrippo: You know what? These are bargains. And we're joking, but I think that's really true. And the economics of this for threat actors is always going to be on the table. They're going to look at how much effort and time they're going to have to put in, and then become cost efficient where they can. Let me ask you, too, you and I have done, you worked on the KV botnet, which was a China-based botnet. You worked on that takedown. You worked on a lot of the analysis and research on that. And that's a China-based actor, so it's different, but it's still this compromise of these hardware devices in people's homes or in these small office instances. What do we need to do about this? What is the problem here? How do we fix this? I've triggered Danny. I can see it in his face.

Danny Adamitis: I know. So the phrase I usually use when I talk about these sorts of attacks is that it's the part of the internet that we've obviously long forgotten about. It's coming back to haunt us now. It's not the fact that any of these devices are, you know, they're not vulnerable by design. There's nothing horrible about them. And again, we can talk about how we should do more secure by design and all those other principles. I think the issue is that no one just tends to that. If you had a garden and you never tried to weed it, you never tried to water it, you never fertilized it, it would just grow into a giant pool of weeds and no one really wants that. I think part of the issue is that we just need to have some mechanisms in place to kind of tend to these routers. And we need people to actually use them. So again, like, I know we as, you know, Lumen, we offer you know, modems to our customers. If you were to call us up and say, hey, we want to get a 1G connection for a house, super common, we would send you a router modem Wi-Fi thing in the mail. And people go, well, you're going to charge me a monthly fee? It's like, well, yes, we still have to pay for infrastructure to update it. And, like, there's an actual person on the other side and all of that stuff does cost a little bit of money. And we try to spread it out amongst all of the users. But everyone's like, oh, well, I don't want to pay that money. So, like, I'm just going to do it myself. And the fact is, no one ever does it themselves. No one does. If they did, we wouldn't be in this situation.

Sherrod DeGrippo: No one does it themselves. And I also think that enterprises have to think about what's in their employees' homes, with so many employees working from home. Even if your employees are going into, I won't name names, but even if your employees are going into your office five days a week, they are still connecting from home, I promise you. Whether it's a personal phone device, or they're doing work after hours at home, this is a vector that threat actors do think about and do consider, and I think we should be a little more careful about it. I live in the South, we have thunderstorms here all the time, and the power goes out, and we all just kind of live with it, right? And when we started seeing these SOHO routers be such a big vector, especially for China-based threat actors, for Russia-based threat actors, every time my power would go out, I would say,, you guys got kicked out for a minute. No, there's no one in mine. There's no one in my stuff. But in the neighborhood, you know, I thought it's just kind of a reboot cycle that is important that people don't do. A lot of these devices are also end-of-life so you couldn't update them if you wanted.

Danny Adamitis: And this is the part, if it's working, no one ever wants to change things up. I mean, if you ask Sherrod, we're going to say a brand-new router, you're going to have to probably call your ISP. You're going to have to probably set up an appointment. They're either going to send you something in the mail. Maybe they'll roll out a tech in a truck. And again, they're going to show up sometime between 7:30 and 6:45 at night, and you're like, well, what the heck? I have other things I need to do, and it's an inconvenience, and no one wants to experience that inconvenience.

Sherrod DeGrippo: And there's those videos I've seen many times. It's like, I stayed home all day waiting for the internet tech to come out and they show on the security camera, the internet tech doesn't ring the doorbell, doesn't knock, just puts the sticker on the door, missed you. It's like, ah. So yeah, like, I guess the point that we're making here for those listening is that when you think about it, there's just a lot of friction to keep something up to date that also is not easy and in your face all the time the same way, my phone updates all the time. I have automatic updates turned on. My laptop has automatic updates turned on. It's also a managed device by my employer. My personal devices are all on automatic updates. These routers don't really have that capability when they've been end-of-life, when they aren't managed or sophisticated devices. They're just kind of sitting there decaying.

Danny Adamitis: And the other thing is, I want to say, it's a bit of an ecosystem problem. So even if we have someone, you know, like Sherrod, who's a little bit more savvy and maybe you do patch your router and you do everything, I'm guessing what you're still going to have to fly into the corporate office once a month. What do you do when you're at the airport? You're waiting. Well, you connect to the Wi-Fi at the lounge. Do you have any control over that Wi-Fi at all? Or, you know, if you're hanging out at McDonald's just because you need something to eat. I mean, I love their fries, they're amazing. Anyway, but, like, if you're sitting there waiting for your fries for 10 minutes, what do most people naturally do? Oh, let me just check my email and see if they need anything. Oh, let me check my Teams or my Slack to see if, like, my team needs anything from me. And that's just you constantly connecting via that, you know, ecosystem of that modem. This is something you do not control or manage or have any access to. And again, if you were to say that to the person at the counter of McDonald's, they're going to look at you like you have three heads.

Sherrod DeGrippo: So, let's talk about now the DNS hijacking part.

Danny Adamitis: I love a good DNS story.

Sherrod DeGrippo: I love a DNS story. Everybody loves a DNS story.

Danny Adamitis: Did you realize our initials are Dan and Sherrod? Like, DNS?

Sherrod DeGrippo: I didn't. Oh, my God. Domain name service. Is it system or service? It's domain name. It's service. Okay, quick story time. When I first started in my computer career, I started at the federal government, and I had to set up DNS for our internal network. I had the O'Reilly bind book on my desk, and I was crying, literally I was crying at my desk, because I couldn't get the key pairs. A lot of people don't know that primary, secondary, and tertiary all have a key exchange to make sure that they, each DNS server serves the same records. And I cried, and I got on a mailing list, I don't remember which one, maybe a 2600 mailing list, and I was like, I need help, I'm in so much trouble. This was the early 2000s, like, 2002. I need so much help. And no joke, Dan Kaminsky emailed me. Dan Kaminsky, I'm going to cry. Dan Kaminsky emailed me.

Danny Adamitis: He's like an OG.

Sherrod DeGrippo: I know, was such a sweetheart. Emailed me at my. gov address and was like, hey, here's my phone number. Call me and I will walk you through setting it up. And I called him just sort of sniffly like, I'm in trouble at my job, I don't know how to do this. And Dan Kaminsky walked me through setting up the DNS for my work network, which was my job at the time, my first security job. And that was really nice of him. But the reason I bring that up is because DNS is black magic. I will fight to the death anyone. I understand that protocol pretty deeply after that experience. I want to just set the stage for those of you who aren't deeply into tech or aren't deeply into DNS, or even if you're in security and you make that glib little joke, oh, it's always DNS. Well, let me tell you why. Let me tell you why it's always DNS. As humans, what we have done is we have taken numbers. And transmorphed them into words. What? What? Pets.com equals, you know, 478.124. What? What? We have taken numbers and words and made them equivalent. Okay, I can give you a number and you can give me the word that goes with it. Or I can give you a word and you can give me the number that goes with it. That's crazy. That's species-level problematic thinking. So the fact that we do that I think is wild. I think we should have to memorize IP addresses instead. So, Danny.

Danny Adamitis: Or, we could do like an internet phone book and put it on our desk and every day we can flip through it to get all the IP addresses we need.

Sherrod DeGrippo: I want a Rolodex full of IP addresses so that I don't have to use DNS at all.

Danny Adamitis: Could we do it on a rotary phone too, like it's back in the '80s?

Sherrod DeGrippo: What if I, what if we trans, oh, what if we turned IP addresses into phone numbers, VoIP, wow, that's like a POSIX asterisk. Did you ever play with any of those old voice-over IP systems, like the really old ones?

Danny Adamitis: Oh, yes. You do realize that we started off selling, you know, web services on copper lines back in Louisiana.

Sherrod DeGrippo: I love a copper line back in the day. Oh, my gosh. POTS, baby. That's plain old telephone service, which is anything transmitted over copper wire. Okay, so let's talk about this DNS aspect of it. Forest Blizzard does DNS hijacking to their infrastructure. Tell me about that piece of it. What does that look like?

Danny Adamitis: So this was super interesting. So as we've kind of talked about before, we saw these attackers going after some of these, what we call SOHO, small office home office routers. And once taking access to them, this is where I think things started to shift a little bit. If there's any of the people listening to this who are avid readers of our lovely Lumen blogs, if not, you definitely should. We talk about router malware all the time, and the key thing about that is there's usually malware. There's some sort of, you know, compiled binary that says, you know, once you're on the system, start performing these four or five different functions. What makes this attack a little bit different in my mind is we weren't actually seeing them deploy compiled malware onto the systems. They were just modifying the DNS settings to point towards what I'm going to call a rogue or actor-owned IP address. So again, typically if people think about DNS, and maybe you did start to go down that wonderful rabbit hole, you start to learn about things like, you know, Quad8, which is the Google ones, there's a Quad9, which is I think, you know, they're kind of like a nonprofit, you know, maybe you like Cloudflare, whatever, all the same. These guys were then taking those entries where they will specify what the DNS router is or DNS server is, and they would actually then modify that to be an IP address of a VPS that they own and manage themselves. And again, this is a little bit I want to say kind of sneaky, where, like, if you were to even look at this stuff, most people would start searching for something like your /temp file. So if you're going through your fund digital forensics, you'd be like, all right, well, what was dropped in temp? Where are the running processes? Like, looks for the next step to see if there's any active connections. None of that stuff would be present. They would only modify these couple of lines. Maybe there would be some logs for de-exploitation, but most people aren't going down to that level of detail.

Sherrod DeGrippo: So first, how novel of an idea do you feel this is from Forest Blizzard to be doing this? Are we seeing other nation-sponsored actors doing it? Is it super sophisticated and innovative and interesting? Or is this just, yeah, it's an open door, walk through it?

Danny Adamitis: It's a little bit of both. So my thing is, this is obviously not the first time we've ever seen or observed this. There was, I think now we're going back to, like, 2008 called DNS Changer, which is doing some kind of variant of this. So again, this is not some brand-new, cunning, latest, you know, latest and greatest 0-Day attack, but what I would say is that while this has been present, I think it's being used in a slightly different way. So one of the other kind of interesting things that sort of caught my attention with this is that we were, I was reading, candidly, some reporting, and I think it was, like, Google Cloud, where they were talking about, like, iOS 0-Days. It grabs everyone's attention, there's a bunch of buzz, there's WIRED articles, it's all great and dandy, and everyone just kind of becomes fixated on these, like, you know, really sophisticated 0-Days that just cost probably millions of dollars. I feel like they're kind of taking what I call the attention economy that exists in the InfoSec space and sort of flipping it on its head. Instead of doing some super sophisticated 0-Day where they're messing with, you know, unannounced debug strings, they're just saying, why don't we do something so extremely simple that's been done 20 years ago but still exists as an open door. And just kind of do this for our own purposes and see how far we can get? And, again, they probably had success for a few months before we really caught on and were able to kind of counter them.

Sherrod DeGrippo: So do you expect that we will see more of this from other actors and these same actors?

Danny Adamitis: Unfortunately, I believe we are. As we kind of talked about before, I don't think we're going to fix the SOHO problem anytime soon. The DNS ecosystem is just also, I'm going to say, it would benefit from a little bit of caretaking, but it's turned into a bit of a tragedy of the comedies. So because it's just one of those universal things, it's just always going to be an issue. So that's why, you know, one of the few things we can do is try to raise some awareness to people who are in this space, you know, maybe working at some sort of SOC to at least start to think about that and at least start to maybe take a peek at some of those DNS logs when you have access to them, or turn on logging in the first place. Great first step.

Sherrod DeGrippo: Great first step is logs. Logs are always a great first step. Talk to any incident responder and ask them how they feel about logs. I think that's a good icebreaker. If anyone ever says they're in incident response, say, what are your feelings on logs? And then you can either make a really good friend or a mortal enemy. I want to take a quick detour, a very quick but deep detour. I want to talk about the DNS root servers for just a second. I know, spicy hot. I'm obsessed with the root servers. I think about them all the time. I make jokes about them all the time, because they really are in a lot of ways just this very strange directory to our ability to transact online. They are the starting point of the address book for the internet. So they tell you where to look next when you're trying to find a website. Danny and I were making jokes about our internet phone book and me having a Rolodex full of IP addresses. That's kind of what the root servers are in reality. You type in your Microsoft.com, but your computer still needs the IP address. So it doesn't know that IP address and it starts asking around. DNS resolution, and resolution means converting the number to the word and the word to the number, DNS resolution is a layered capability, and the root servers are generally the first stop with most computers. The computer asks, like, where is Microsoft.com? And then if your computer doesn't know, it goes ask one of the root servers. And if the root server doesn't know this, if it doesn't have a record for Microsoft. com, which it does, obviously, but if it doesn't have it, it knows who handles ".com" overall, and it will go consult the full ".com" zone files and stuff. So the root servers don't necessarily give the final answers, but they do point you in the right direction. It's like the front desk of a library. You walk in, you ask for a book, they don't actually walk you to the shelf and, like, grab the book for you, but they tell you which floor, they tell you what section, they tell you what shelf. And then from there, you keep narrowing it down until you find exactly what you're looking for. And so here is where some fun facts come in. There are 13 named root servers, and they are named alphabetically A through M. And I often make jokes that I own root servers B, C, and D. I don't really, but it's a joke that I make about hacking. They're replicated globally. There's hundreds of physical servers. They use any cast. They are managed by the big internet orgs like ICANN and things like that. And these are critical infrastructure. If they fail --

Danny Adamitis: The entire internet is broken. The internet is broken.

Sherrod DeGrippo: The internet is broke. You cannot navigate. If the root servers fail, you cannot navigate. And so, Danny, I bring this up because root servers know where to send you next. How fragile are the root servers now, especially in this new world of AI vuln-pocalypse? Do you stay up at night thinking about A through M?

Danny Adamitis: I actually do not.

Sherrod DeGrippo: I do.

Danny Adamitis: Yes, it is software. Yes, it's on the internet. Yes, theoretically, anything that is software and on the internet is vulnerable to exploitation, period, full stop. However, I feel like the people who manage these things, they take a lot of pride in this. And again, I've had times before where I've interacted with people who managed some of these servers, and they are incredibly meticulous. They are incredibly careful. They tend to actually be very forthcoming with information if you ever do talk to them or email them, kind of like Dan, where you can just kind of be like, hey, I'm seeing some weird stuff. This doesn't quite make sense to me. Was this my computer messing up? Was it something with your software? They're very responsive to that. And again, I think they understand that they are kind of the record keepers of the internet, partially the record keepers of history, so they do take a lot of time and a lot of care to get into that. So, yes, you know, is there something that could happen? What, 100%. Have we previously worked on cases where people have been targeting upstream DNS servers? Yes, unfortunately, that does happen sometimes. And when it does happen, it tends to be really bad, but the response tends to be very swift and very decisive.

Sherrod DeGrippo: Oh, my goodness. Very swift and very decisive. Okay. You heard it here first from Danny Adamitis. I think, too, in this kind of new world of AI vuln finding, AI code review, everything is attack surface. Everything on this earth now is attack surface. And I don't just mean internet-facing systems. I mean air gap systems, I mean sovereign systems, I mean systems that haven't been turned on for years and years, and I mean human systems. Humans are absolutely part of the attack surface, and it has really kind of, in this new world, expanded how I think about what the next targets will be, because everything has come inbounds now in ways that it feels like two years ago it really wasn't. So I urge everyone to really think creatively because the threat actors are the most creative thinkers around, a lot of times.

Danny Adamitis: This report actually, in my mind, does a really good job of highlighting why I think one of the core principles anymore is the identity problem. So again, we go into this and I'm not sure if we got there yet, but at the end of the day, they were standing up these kind of attacker-in-the-middle nodes and they were able to steal some of these, you know, OAuth token material and then they were able to authenticate into an email service with the exact same token that was issued to a legitimate client. And this is I think going to be a big issue moving forward, not only for what you've highlighted for what I call a human-based account, but for non-human accounts or what we sometimes call these service accounts. What happens if you have some sort of service that's automatically connecting into a router for the purposes of collecting logs? Because, you know, we all love logs. They're great. You can never have too many of them.

Sherrod DeGrippo: We love logs. Just store them all up. Keep them around.

Danny Adamitis: Throw them somewhere.

Sherrod DeGrippo: Throw them somewhere.

Danny Adamitis: Yeah. But even with the AI agent, if you have, you know, if you jump into the agentic AI piece, you're basically having an agent go and getting information, or correlating information from hypothetically different spreadsheets and putting it together and doing, like, some sort of calculation. You still need to have some sort of identity for that agent to access all those files. I think that piece about identity for AI and for these non-human accounts, I think that's going to be something that is going to be a really big focus moving forward. And that's something that, again, I would kind of encourage people to start to think about, of, like, what does it look like in that space? What does logging look like in that space? If we have logging, who checks the logs? Do you have the AI check the AI for AI logs? But like, it's just, like, I think that's one of those other things that I kind of see coming over at the precipice of the horizon. And I'm just like, oh God, That's the stuff that's, like, how do you monitor and keep track of that? And that keeps me up way more than, you know, the core services of DNS.

Sherrod DeGrippo: I think, well, I'm always thinking about DNS. I don't know. I just think that, like, mapping numbers to words is just bonkers. But we did it, you guys. We did it.

Danny Adamitis: Mission accomplished.

Sherrod DeGrippo: So something else I think is worth mentioning around identity. A lot of times we say identity is the new perimeter. Something to remember when you're talking about service accounts, service principles, they don't do two-factor. Humans do two-factor, but your machine-to-machine authentication does not include that. And so it creates a much more difficult and a very different type of security problem when you're dealing with machine-to-machine authentication.

Danny Adamitis: And this is, I guess, one of the other things. Is there ways you can pin identity to an asset? So, if you have a service account that's supposed to hypothetically check your Outlook or your routers for logs, can you say that this identity is only valid when it's tied to this particular hardware-based, you know, asset? So the idea was that if someone were to compromise said account, they can't just log in willy-nilly from anywhere in the world. You have to at least have some sense of parameterization of these, you know, identities to kind of at least try to start to look for those anomalies. Because if you have any of that, looking for kind of the abuse of a legitimate admin username and password in the network, that's like looking for a needle in a haystack.

Sherrod DeGrippo: Yeah, it's true. And I think, like, so bringing it back to Forest Blizzard, let's talk a little bit about the post-compromise activity. So once they get into these SOHO routers, they hijack DNS and then give me an idea of what happens next.

Danny Adamitis: So once they hijack the DNS of the router, we believe that they would redirect all of the DNS to these actor-controlled DNS resolvers. One of the really interesting things about this is they could then passively kind of sit in the middle, and they can just see essentially every DNS, subdomain, FQDN that's ever been queried from that network. And from that, you can start to build a really good pattern of life. And you can say, hey, where does this person work? Are they connecting to, I'm going to say, like, MSTIC.microsoft. outlook or whatever? Are they connecting to some other enterprise? Do they have only Microsoft accounts? Do they potentially have some sort of other, like, you know, Apple email address? What else are they doing there? And from there, you can kind of start to see if this, you know, entity or if this network is associated with what I would call a high-value network. Is this something that is of interest to the Forest Blizzard actors? Are you associated with an energy sector? Are you associated with a foreign government and IT service? By looking at that DNS, they're able to kind of do all that stuff in a way that is just completely transparent to the end user because no one's really checking, you know, if their actual workstation was propagated, you know, malicious DNS settings via DHCP. It's not really something that happens a whole lot. And then once they're able to find some of those really valuable organizations, they can do what's called DNS poisoning. So if you did work for an energy company, and if you were trying to connect to your corporate Outlook email instincts every morning, they could say, hey, next time we try to go over there and you do that transmorphing, where they go, well, this, you know, energy.outlook. com is actually associated with the legitimate IP address, they can kind of poison that and give them a malicious IP address that's associated with an actor-owned IP. And once they kind of redirect that, the computer just goes, well, it's a valid day record. Must be right. Let's just go ahead and continue on with that and carry on with our day. And that's when they're able to actually start to harvest some of those tokens. And with those tokens, they're able to just basically walk in with, like, an actual, I think that's like a work badge. If you have, you know, your kind of work ID card and you were to walk into the Microsoft Office, you would just tap your badge and it goes, yep, you're a legitimate employee. Come on in. It's essentially like having that. And they're just able to walk in and basically grab all the information that's associated with that account.

Sherrod DeGrippo: Wow, so I just want to be clear for everyone listening, we actually have two-factor on the badges at work. So I have two things, something I have and something I am when I go. But yeah, so and this is all happening essentially within the router. Yeah, that's the all-seeing eye in a lot of ways of what you're doing is if you're passing that traffic over the wire, it's going through that router to leave whatever building you're in, it's the only way out. You've got to send it through there. So I think, one, it's really clever and two, it's really complete to say, look, we're just going to get in the routers. Why would we not just go ahead and pull that hardware move? Because that, you know, bypass, or not, it doesn't even bypass it. Like, doesn't even have to face anything like endpoint detection, host reboots, the user getting frustrated with something and, you know, malware is making my computer run slow, whatever it is, they don't know it's malware but things are going weird so I'm going to reboot. Persistence isn't an issue. With this, is persistence an issue? Does it sustain after a power cycle?

Danny Adamitis: So in this particular case, it would not sustain after power cycling. But again, this was, I think it was, like, one of the CVEs identified was from 2023. So again, they would just kind of periodically, we saw them go out there and we sort of talk about what we call, like, their infrastructure siloing. There was a kind of set of infrastructure that was just periodically exploiting every vulnerable device they can find. So again, even if you did get a thunderstorm down in Atlanta hypothetically and you lost power, they would just say, okay, cool. Well, in two weeks, when Vlad comes back into the office, he's going to go, oh, look, another device is vulnerable that isn't already on our list. Let's just go hack that one and change their DNS settings again. So it would buy you some time, but it's not going to necessarily fix the underlying issue. I think one of the other points I kind of like to highlight is that they are kind of targeting people when they're at home and kind of at their weakest. So again, I know Microsoft has a whole bunch of offices and there's still a lot of companies that have, like, an actual office and you probably have a firewall and you probably have an IT person who's probably cranky because he's trying to fix DNS all day. But, like, you have kind of that ecosystem of support and you have some logging and you have all these different things in place. The problem is that stuff really only ever works if you're in the office or if you're connected to it via something like a VPN appliance. And a lot of this stuff doesn't have, like, an always-on VPN appliance. You know, like, I can turn on my VPN to connect into a network if I want to, or I can just not have it on because sometimes that just adds a bunch of lag. So if you were hypothetically doing a podcast and we're rerouting it halfway around the world, well, yeah, that's going to add lag and that's going to have a suboptimal experience. So that's an option. But by doing that, you're kind of making it a little bit more vulnerable to these types of attacks.

Sherrod DeGrippo: Okay. So I think one of the reasons that we wanted to talk about this in our blog, with you, and with our public sector partners and our other private sector partners that worked on this stuff is because it really is something that's concerning that individual users have to fix. This is not an update that Microsoft can say, like, we're going to push this update out. This is not something where we're saying, you know, people need to whatever on their computer. This is actually a really hard one to get done. And you have to go update your router or not just update the software and firmware on your router, but potentially buy a new router, potentially replace it.

Danny Adamitis: And again, this is I guess the other thing I want to say is I've sometimes heard, okay, but I don't care. And again, that is a thing that I've heard from a lot of people. This is the issue where I feel like even if you do not feel that you are an intelligence target for the GRU, you're kind of creating this vector for them to attack someone else. So again, this is kind of where I was talking about the tragedy of the comedies. Well, cool, you might not be a GRU target in the Seattle region, but if you happen to have a vulnerable router that's a block away from the Microsoft building, they could use you as an attack vector to target someone who is significantly more important or more interesting. If you are, again, the McDonald's IT person, I understand you guys might not really care as much about this, but if you have, you know, people who work in the energy sector who are line techs coming in to grab lunch, well, yeah, they're actually going to be targeted because of where they work and the accounts they have and the accesses they have. So again, by not taking this seriously, you're actually kind of doing a disservice to a bunch of your other customers. And again, I'm going to do the we're all good people who are all trying our best. We just don't know any better. So this is kind of like the PSA for the more you know.

Sherrod DeGrippo: I, well, so I agree with that. And I think that's, again, part of why this is so important for us to talk about. And that is because this is collective. This is a collective effort that we have to have really almost from a national security perspective I feel. Where each of us, you know, kind of need to make sure that we are not a platforming staging ground for threat actors to come in and do malicious things, because that really will impact everyone, especially these really kind of like apex predator, super hardcore nation-based threat actors like China, Russia. So I think it's important to think about what your hardware and router situation is, if you possibly can at all. What I would suggest is going and searching things like secure routers, go shop a little bit. There are options I think that are out there. You know, it's tough right now to buy hardware. I know the FTC released some guidance that's really difficult to meet the compliance asks of that document that some of you may have seen a couple weeks ago. But I really think that this is national infrastructure. It's like, you know, walking down the street and seeing a telephone pole on fire and just kind of saying like, eh, that's fine. It's not fine.

Danny Adamitis: Or like a downed power line. It's not fine. If someone doesn't address it, somebody's going to get hurt.

Sherrod DeGrippo: As the lightning bug said in the PSAs from my childhood, don't play around power lines. Did you ever see that one? He did a little dance while singing, don't play around power lines. Yeah, it was for kids. It was, like, on Saturday morning cartoons. So, what else do we need to know about how this works? How do they choose who to do attacker-in-the-middle against? Like, they're watching. Is there any indication of specific targeting after that surveillance action?

Danny Adamitis: Yes. So, we believe there is. Again, this is my kind of crazy idea. They probably already have a list of targets that they're interested in. Again, there's been a couple of things where they've talked about things like energy. We've seen interest in obviously US government entities. We've seen interest in think tanks, law firms. So they have a pretty good understanding of what companies or targets they have in their list, and then they compare those things. And as we talked about before, when you're kind of intercepting and collecting those, you know, fully qualified domain names, it's really not that hard to correlate, you know, the actual subdomain to a real organization. And if it hits on the list, then they send them those malicious entries. And once they have those malicious DNS entries, they're able to start to collect some of those, you know, emails. And, you know, once you start to get emails, you can say, yeah, this is really interesting or maybe we don't care about these guys as much anymore. And that's how they're able to start filtering in a way that is allowing them to enumerate what they already have access to and then kind of use that to potentially get more. So if they target a company and they find something that is really interesting to them, they might continue to say, okay, cool, where else are we seeing any entries associated with that particular organization, and how can we try to get more and more access to them?

Sherrod DeGrippo: And at this scale, which is potentially thousands of devices or more, they've got to filter that signal from noise. And if I were doing it, I would definitely, this is a perfect use case for an LLM, perfect use case to do a lot of large-scale text and traffic processing with some kind of AI system that could, you could write an easy agent that would be able to manage a lot of this infrastructure and content for you and just tell you where you need to put your attention.

Danny Adamitis: Yeah, it's structured data, it's easy, it's a known protocol, it's, you know, fixed kind of all the parameters.

Sherrod DeGrippo: All right, Danny, anything else we need to know about Forest Blizzard? I'm going to wrap this up.

Danny Adamitis: So, one last thing, and this was kind of like one of my little favorite things about this. So, we were tracking this and we saw them starting to implement this procedure, I believe it was the spring of 2025. And at first, when we saw them standing this up, they were doing this in what I will call a very narrow or target ASACs. So, when we started looking at, like, I think the first kind of malicious DNS server, I think there was, like, sub 10 IP addresses in the world communicating with it. So again, obviously caveats based off our visibility, our collection, blah, blah, blah, but it appeared to be very small and narrow. One of the things that stick out to me was in the summer, there was the UK NCSC. They released this report called Authentic Antics that describes a tool set associated with Forest Blizzard, where they were basically grabbing authentication material from an Outlook server that would allow them to kind of have that really good, really deep access. This report went out and we basically saw the activity associated with that malware decrease. And 48 hours later, we saw an exponential increase in DNS hijacking attempts. So this is kind of where we're talking about, like, how persistent and how brazen they are. They basically had one capability burned, and I think it was 24 to 48 hours later, they just said, okay, well, if you're going to take that tool away from us, we're going to switch to this DNS hijacking, and it just shows that they are actually very astute to what's happening, and then they just completely change things out to continue on with those, you know, objectives almost in real-time without missing a beat. So that was something that I thought was just super interesting about them, just showing that they have some of these capabilities on the shelf. The other thing that I thought was interesting that we haven't hit on yet. I know there's going to be some people who are probably listening to this and they're going to say, well, this is their fault. They were using classical DNS which uses UDP, and they should have known that this was vulnerable to all this interception and all this monitoring. You should use something like DNS over HTTPS or DNS over TLS. And if they did that, they would have been safe. Well, no, they actually set up, because you own the DNS resolver itself, all they had to do was basically download and install the exact same DNS over TLS software and then configure that to run over Port 853. So again, if there are some of those people who think that, you know, we can just change this and we're good to go. Well, not really. The attackers already thought of that one, and they also have that capability, which is why we were trying to highlight that it wasn't just a passive monitoring of DNS at the router, but an actual redirection of the DNS resolver to active controlled infrastructure. And once you're passing through a server that the attackers own, they can kind of do whatever they want. So that was just something else that, of course, you know, I know someone is probably going to be calling in or listening and saying, well, why didn't we do that one? Well, that's kind of why that didn't work either.

Sherrod DeGrippo: Well, and I think, too, you have to have a relatively, at least a very basic understanding of how DNS works exactly to understand the way that this attack works and to understand why hijacking the DNS resolution is such a pernicious, I guess I should say, such a threatening way to do it, such an effective way to do this. So, it's not something that everyone is just easily going to understand really quickly. So, Danny, this is getting me to think kind of about what are the third-party implications here? What else should we be thinking about with this? What's the angle from the outside?

Danny Adamitis: So one of the parts of the research that caught my attention that I was not able to fully run to ground was that, as we talked about before, we saw targeting of some of these organizations such as, you know, private firms. There was a subset called IT organizations. And again, when people start to think about IT organizations, these are people who typically manage technology on behalf of other companies. So this was something else that really caught my attention because if you're able to walk into the IT organization as a legitimate admin, or in this case with an admin-based token, you could then potentially use that admin token to start to impact all of your downstream customers. This is something that we saw, I believe it was, the Nobelium actor. Oh, Midnight Blizzard I believe is what you guys are calling him on the Microsoft side. They did a variant of this with the cloud ecosystem a couple years ago that was really effective. There is, like, an infamous case study called Cloud Hopper where they were able to do something like this. And when you, again, have your legitimate outsource IT admin logging into your system to collect information such as logs or such as files, it does not really trigger any alarms. And that's kind of that, you know, kind of second-order implication that might not have been super apparent, but definitely is real and could have an impact on organizations.

Sherrod DeGrippo: I think if you're listening to this and your head's kind of spinning a little bit, to level set, yeah, this is a threat actor that really has significant capability. This, to me, and I'm open to Danny's kind of interpretation and stack rank on this, too. To me, you know, we always say, I've stopped saying APT, you know, Advanced Persistent Threat. I've stopped saying that because I just feel like, you know, at this point the delineation isn't, like, a this or a that. It's this spectrum of clusters of really good at it, a little less good at it, and bad at it, and, you know. But in my estimation, Forest Blizzard definitely is one of those really persistent threat actors, because they just keep going.

Danny Adamitis: They just have a near-infinite pipeline of people. And again, they've just, as we kind of talked about the top of the hour, they've been at this for probably a decade, if not two, and they're probably still going to be around for another decade or two. So the only thing you can really do at that point is just try to follow them, figure out what they're doing, and then try to take some of these actions, like we were able to kind of do with some of our public sector partners, and kind of buy people time to sort of shore up their defenses, shore up their logging, shore up their identity services, because that way they have a fighting chance of detecting exoticness.

Sherrod DeGrippo: So you can't just secure your own stuff anymore. You have to now think about everything that you and your users depend on to get access to internet infrastructure. So Forest Blizzard really isn't doing something that's, like, totally new, but they're doing something at scale that's kind of smarter and they're doing it with things that already exist. Like, this infrastructure is there for them. They don't need to create anything new. They can just leverage the ground that's there.

Danny Adamitis: And again, I think we saw, what was it, based off the Microsoft reporting, this hit something like 500 different organizations around the world. So this was not, you know, a quick onesie twosie thing. This was a huge, massive, industrial-scale campaign.

Sherrod DeGrippo: And I think that scale is really important to understand because for me, the further we get into this new AI era, the more AI adoption there is. To me, AI is about acceleration and scale. That really is what it enables people to do. It's a tool that gives scale at speed. And I think that we're going to see threat actors continuing to use it to get better and better at doing more and more.

Danny Adamitis: Faster.

Sherrod DeGrippo: So, yeah.

Danny Adamitis: And that's kind of the other issue is before this used to have to be a person going through all the DNS logs, running their favorite grep commands in Linux and trying to extract the ones they thought were interesting. Now this is something where you can set up an LLM to do that, go get a cup of coffee and come back, and you get a pretty Excel spreadsheet or, you know, you'll get something that tells you what's of interest and what's there. It just again enables them to go faster, which means that on the defensive side we'd also need to be a little bit faster.

Sherrod DeGrippo: I think that to me that's what my brain is wrapping around right now, is that AI is this new world of natural language interface. Like, we started with command line interfaces, we moved to GUI interfaces, and now we can talk to our computers. Instead of typing and pointing, we can converse with them and converse with our data. And so you can genuinely say, if you are Forest Blizzard, you can say, go through everything I've collected and find the ones that are the most interesting, the most dangerous, and will have a faster impact on my objectives. And it'll give that to you, quickly and easily. Then you can start executing other commands through natural language, which I think is a beautiful wonderland for those of us who are not malicious, and a terrifying nightmare for those who wield it for bad purposes.

Danny Adamitis: Nefarious purposes.

Sherrod DeGrippo: 2026, everyone. But you know what? I want to thank my friend, distinguished engineer at the threat intelligence arm of Lumen Technologies, Danny Adamitis. Oh, please come back on the podcast again. >>D: Of course. Of course.

Danny Adamitis: Oh, and can I just say real quick, thank you for having us. I would also like to thank our wonderful counterparts at the Mistake Russia team. I know they typically do not like the limelight, but I would say this would not be possible without them. So I'd like to say thank you to those gentlemen. And of course all of the wonderful people on the Lumen Technology's Engineering Team that gives me all the data, lets me do all the fun stuff. Because, you know, without them patching our systems and maintaining them, none of this would be possible.

Sherrod DeGrippo: I agree, and I want to second that. Thank you so much to all the people who helped put this stuff together, write these blogs, get all this coordination and collaboration done so that we can actually have some impact here. And that really is the final takeaway for those of you who are listening. Please take care of your routers. Yes, security hygiene does work, but it doesn't work when you don't apply it to every part of the infrastructure that you use. So don't neglect your routers. Please update them. This has been the "Microsoft Threat Intelligence Podcast". You can find us at msthreatintelpodcast.com or wherever you get your favorite podcasts. [ Music ] Thanks for listening to the "Microsoft Threat Intelligence Podcast". We'd love to hear from you. Email us with your ideas at TIpodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app. [ Music ]

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Deputy CISO, GM Customer Security at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Producer is Rob Petrillo, Production Manager is Max Solomon, Scheduling and Administrative Support is Elliot Volkman, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft