Amazon disrupts Russian APT29 hackers targeting Microsoft 365 www.bleepingcomputer.com/news/secu…

Researchers have disrupted an operation attributed to the Russian state-sponsored threat group Midnight Blizzard, which sought access to Microsoft 365 accounts and data.

Also known as APT29, the hacker group compromised websites in a watering hole campaign to redirect selected targets “to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow.”

The Midnight Blizzard threat actor has been linked to Russia’s Foreign Intelligence Service (SVR) and is well-known for its clever phishing methods that recently impacted European embassies, Hewlett Packard Enterprise, and TeamViewer.

Amazon’s threat intelligence team discovered the domain names used in the watering hole campaign after creating an analytic for APT29’s infrastructure.

An investigation revealed that the hackers had compromised multiple legitimate websites and obfuscated malicious code using base64 encoding.

By using randomization, APT29 redirected roughly 10% of the compromised website’s visitors to domains that mimic Cloudflare verification pages, like findcloudflare[.]com or cloudflare[.]redirectpartners[.]com.

As Amazon explains in a report on the recent action, the threat actors used a cookies-based system to prevent the same user from being redirected multiple times, reducing suspicion.

Victims that landed on the fake Cloudflare pages were guided to a malicious Microsoft device code authentication flow, in an attempt to trick them into authorizing attacker-controlled devices.