Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Microsoft Threat Intelligence Profile picture
@MsftSecIntel
Dec 13 7 tweets 2 min read Twitter logo Read on Twitter
Microsoft has taken steps to disrupt and mitigate a widespread campaign by the Russian nation-state threat actor Midnight Blizzard targeting TeamCity servers using the publicly available exploit for CVE-2023-42793.
Following exploitation, Midnight Blizzard uses scheduled tasks to keep a variant of VaporRage malware persistent. The VaporRage variant, which is similar to malware deployed by the threat actor in recent phishing campaigns, abuses Microsoft OneDrive and Dropbox for C2.
Post-compromise activity includes credential theft using Mimikatz, Active Directory enumeration using DSinternals, deployment of tunneling tool rsockstun, and turning off antivirus and EDR capabilities.
In addition to disrupting the abuse of Microsoft OneDrive for command and control, Microsoft Defender Antivirus and Microsoft Defender for Endpoint protect customers against this and other Midnight Blizzard malware.
Midnight Blizzard is the latest nation-state threat actor observed exploiting the TeamCity CVE-2023-42793 vulnerability. In October, North Korean threat actors Diamond Sleet and Onyx Sleet exploited the same vulnerability in separate attacks: msft.it/6010iVpcp
Although many of the compromises appear to be opportunistic, affecting unpatched Internet-facing TeamCity servers, Microsoft continues to work with the international cybersecurity community to mitigate the potential risk to software supply chain ecosystems.
We are especially grateful to our partners in the international cybersecurity community for their collaboration on this investigation.



gov.pl/web/baza-wiedz…
cisa.gov/news-events/cy…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Microsoft Threat Intelligence

Microsoft Threat Intelligence Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MsftSecIntel

Microsoft Threat Intelligence Profile picture
Dec 4
Microsoft has identified a Russian-based nation-state threat actor tracked as Forest Blizzard (STRONTIUM, APT28, FANCYBEAR) actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers: msft.it/6018iPOLm
Forest Blizzard primarily targets government, energy, transportation, and non-governmental orgs in the US, Europe, and the Middle East. The threat actor also commonly employs other known public exploits in their attacks, such as CVE-2023-38831 or CVE-2021-40444, among others.
The Polish Cyber Command (DKWOC) partnered with Microsoft to take action against Forest Blizzard actors, and to identify and mitigate techniques used by the actor. We thank DKWOC for their partnership and collaboration on this effort. msft.it/6019iPOLW
Read 4 tweets
Microsoft Threat Intelligence Profile picture
Dec 1
Microsoft has detected Danabot (Storm-1044) infections leading to hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of Cactus ransomware. In this campaign, Danabot is distributed via malvertising.
Storm-0216 has historically received handoffs from Qakbot operators but has since pivoted to leveraging different malware for initial access, likely a consequence of the Qakbot infrastructure takedown.
The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering.
Read 5 tweets
Microsoft Threat Intelligence Profile picture
Nov 9
Microsoft has discovered exploitation of a 0-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest, a threat actor that distributes Clop ransomware. Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched.
Organizations using SysAid should apply the patch and look for any signs of exploitation prior to patching, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware. msft.it/60129CIJy
After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware. This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.
Read 4 tweets
Microsoft Threat Intelligence Profile picture
Nov 8
The threat actor that Microsoft tracks as Sapphire Sleet, known for cryptocurrency theft via social engineering, has in the past few weeks created new websites masquerading as skills assessment portals, marking a shift in the persistent actor’s tactics.
Sapphire Sleet, which overlaps with threat actors tracked by other researchers as BlueNoroff, CageyChameleon, and CryptoCore, is a nation-state sponsored threat actor based in North Korea and has targeted organizations in the cryptocurrency sector.
Sapphire Sleet typically finds targets on platforms like LinkedIn and uses lures related to skills assessment. The threat actor then moves successful communications with targets to other platforms.
Read 6 tweets
Microsoft Threat Intelligence Profile picture
Oct 10
Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.
The four IP addresses below were observed sending related CVE-2023-22515 exploit traffic:
192.69.90[.]31
104.128.89[.]92
23.105.208[.]154
199.193.127[.]231
CVE-2023-22515 is a critical privilege escalation vulnerability in Atlassian Confluence Data Center and Server. Any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application.
Read 6 tweets
Microsoft Threat Intelligence Profile picture
Aug 28
Adversary-in-the-middle (AiTM) phishing techniques continue to proliferate through the phishing-as-a-service (PhaaS) cybercrime model, as seen in the increasing number of-AiTM capable PhaaS platforms throughout 2023.
In addition to new PhaaS services, established phishing services like PerSwaysion have added AiTM capabilities. This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale.
Some phishing kits, like EvilGinx, Modlishka, Muraena, & EvilProxy, use reverse proxy servers for AiTM attacks. In this case, every HTTP packet is proxied to and from the original website, making the URL the only visible difference between the phishing page & legitimate site. Diagram depicting an AiTM attack using reverse proxy servers
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(