Main topic: Russian state-sponsored hackers posing as technical support staff on Microsoft Teams to compromise global organizations, including government agencies.
Key points:
1. The hacking campaign was carried out by a Russian state-sponsored group known as APT29 or Cozy Bear.
2. The group is linked to the SolarWinds attack in 2020 and is part of Russia's Foreign Intelligence Service.
3. The hackers used previously compromised Microsoft 365 accounts to create new technical support-themed domains.
4. They sent Microsoft Teams messages to manipulate users into granting approval for multi-factor authentication prompts.
5. By gaining access to user accounts, the hackers aimed to exfiltrate sensitive information.
6. Less than 40 unique global organizations were targeted or breached, including government agencies, non-government organizations, and various sectors.
7. Microsoft has mitigated the use of the domains and continues to investigate the activity.
8. The campaign follows a recent incident where Chinese hackers exploited a flaw in Microsoft's cloud email service.
Chinese hackers targeted government and government-linked organizations worldwide, exploiting a zero-day vulnerability in Barracuda Email Security Gateway (ESG), with a particular focus on entities in the Americas, according to a report by Mandiant. Almost one-third of the hacked appliances belonged to government agencies, and the attacks were motivated by espionage, with a threat actor known as UNC4841 exfiltrating data from high-profile users in government and high-tech industries. Despite patches, the FBI warns that compromised devices are still being targeted, and advises customers to replace hacked appliances and investigate potential breaches.
The University of Minnesota confirmed a data breach in which a hacker gained unauthorized access to sensitive information of applicants, students, and employees, including Social Security numbers and passport information, dating back to 1989.
