Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard.
Star Blizzard has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against the same targets.
Microsoft is grateful for the collaboration on investigating Star Blizzard compromises with the international cybersecurity community, including our partners at the UK National Cyber Security Centre, the US National Security Agency Cybersecurity Collaboration Center, and the US Federal Bureau of Investigation.
Based on our analysis of the actor's TTPs since our previous blog in 2022, Star Blizzard has evolved to focus on improving its detection evasion capabilities.
Beginning in April 2023, we observed Star Blizzard gradually move away from using hCaptcha servers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure.
Most Star Blizzard HubSpot email campaigns have targeted multiple academic institutions, think tanks, and other research organizations using a common theme, aimed at obtaining their credentials for a US grants management portal.
Star Blizzard's use of the MailerLite platform is similar to the second HubSpot tactic described above, with the observed campaign URL redirecting to actor-controlled infrastructure purposed for email credential theft.
In December 2022, we began to observe Star Blizzard first using a domain name service provider that also acts as a reverse proxy server to resolve actor-registered domain infrastructure.
As of May 2023, most Star Blizzard registered domains associated with their redirector servers use a DNS provider to obscure the resolving IP addresses allocated to their dedicated VPS infrastructure.
We have yet to observe Star Blizzard utilizing a DNS provider to resolve domains used on Evilginx servers.
Star Blizzard has been observed sending password-protected PDF lures in an attempt to evade email security processes implemented by defenders.
Microsoft suspends Star Blizzard operational accounts discovered using our platform for their spear-phishing activities.
Following the detailed public reporting by Recorded Future on detection opportunities for Star Blizzard domain registrations, we have observed the threat actor making significant changes in their chosen domain naming syntax.
Prior to the public reporting, Star Blizzard utilized a limited wordlist for their DGA. Subsequently, Microsoft has observed that the threat actor has upgraded their domain-generating mechanism to include a more randomized list of words.
Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts.
Star Blizzard continues to utilize the publicly available Evilginx framework to achieve their objective, with the initial access vector remaining to be spear-phishing via email.
Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure used for spear-phishing activities, where each server usually hosts a separate actor registered domain.
As with all threat actors that focus on phishing or spear-phishing to gain initial access to victim mailboxes, individual email users should be aware of who these attacks target and what they look like to improve their ability to identify and avoid further attacks.
The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders as they are frequently used by Star Blizzard.
Microsoft is sharing indicators of compromise related to this attack at the end of this report to encourage the security community to further investigate for potential signs of Star Blizzard activity using their security solution of choice.
This Cyber News was published on www.microsoft.com. Publication date: Thu, 07 Dec 2023 14:43:05 +0000