APT28 (Russia): The Russian-linked APT28 threat group, also known as Fancy Bear, was seen carrying out a large-scale attack against Office 365 users according to researchers at Microsoft. The attacks began in April and are still ongoing. Mostly targeting users in the United States and the United Kingdom, these people work at companies that are in some way affiliated with the upcoming elections. Leading up to the 2016 presidential election, APT28 was also accused of carrying out attacks. Through the use of spear-phishing, a series of credential-harvesting campaigns were launched. After compromising targeted individuals the threat actor stole the credentials of additional user accounts and used those for lateral movement throughout the internal network. This time around, the group has shifted tactics and began using brute-forcing and password spraying attacks to gain access to targeted accounts. These attacks allow the group to use programs to essentially guess a password that someone is using and preying on victims who use simple passwords without Multi-Factor Authentication (MFA). The shift in tactics allows the group to carry out attacks on a larger scale while remaining more anonymous.
Analyst Notes
The news from Microsoft about these attacks, which was released in a blog on Friday, September 11th, 2020, came just after another release from Microsoft outlining how Russian, Chinese, and Iranian actors were all targeting organizations around the November elections. As the election nears, more attacks will be seen from actors all trying to influence and affect the election. Organizations that work directly within the political environment are not the only people that at risk in these campaigns. Many times, third-party companies with supplier or contractor relationships will be initially targeted, and actors will try to pivot from these companies to their main target. Using complex passwords should be required by all organizations—passwords should contain uppercase and lowercase letters, numbers, and symbols. Using Multi-factor Authentication (MFA) is also important in preventing unauthorized logins. Even if a threat actor manages to guess a password, it is less likely they will guess the MFA code.
More can be read here: https://threatpost.com/apt28-theft-office365-logins/159195/
