The Microsoft Threat Intelligence Center (MSTIC), the division responsible for monitoring computer threats, indicates that it has discovered that a gang of Russian hackers is massively attacking Microsoft 365 accounts. The cybercriminals are part of a group, codenamed Storm-237, which is probably mandated by Russia.
To trap users, hackers rely on phishing messages. They contact their target on WhatsApp, Signal or Microsoft Teams by pretending to be "an important and relevant person" to their interlocutor. This is a classic strategy that allows the victim to be lulled into distrust. For example, they pretend to be a professional contact who invites the user to a video conference.
A very specific phishing attack
To join the conference, the victim will be invited to a meeting on Microsoft Teams by means of a clickable link. This is a "legitimate login page"that will ask the target for an authorization code. In fact, the phishing site will ask for a code instead of the usual login credentials, such as a password. In this type of attack, the hacker exploits the authentication system provided for restricted input devices, devices that do not have a traditional input interface, such as a keyboard or a web browser. This includes televisions and other connected objects.
For these devices, authentication is more likely to be done via an authorization code on another device. Instead of typing a password directly on the device, the user enters the security code on another device, such as a smartphone or computer, to prove their identity. In this case, the code is provided directly by the hacker in the invitation. By exploiting this alternative system, cybercriminals take control of the Microsoft account without having to obtain a password.
Prolonged access to hacked accounts
The attacker can use the stolen authentication tokens to access other services, such as their email or online storage service, without needing the password. As long as these tokens remain valid, the attacker retains access. Additionally, the hacker can obtain a master refresh token, which will allow them to extend access by stealing the specific client ID, a unique identity used in Microsoft’s authentication process.
Among the gang’s favorite targets are “governments, NGOs, and a wide range of industries across multiple regions” of the world, including North America, Africa, and the Middle East. Microsoft recommends that organizations that may be targeted by the hackers block the use of authorization codes. This precaution will prevent hackers from leveraging the system to achieve their goals. It is obviously the responsibility of the administrators of Microsoft spaces.
Source: Microsoft
0 Comments