In a recent development, Russian threat actors identified as UTA0352 and UTA0355 have been targeting Ukraine-linked nongovernmental organizations (NGOs) by exploiting the OAuth protocol to compromise Microsoft 365 accounts.
The attackers initiated their campaign with phishing attempts, enticing targets to join a video call discussing the ongoing conflict in Ukraine. The link provided for the call generated an OAuth code, which the hackers then used to create another token, granting them access to Microsoft 365 accounts.
In conclusion, the recent targeting of Ukraine-linked NGOs by Russian threat actors exploiting the OAuth protocol to compromise Microsoft 365 accounts highlights the evolving tactics of cyber adversaries. Organizations must stay informed and implement comprehensive security strategies to defend against such threats.
Source: SC Media Microsoft 365 access compromise sought by new Russian hacking campaign
The Mechanics of the Attack
The attackers initiated their campaign with phishing attempts, enticing targets to join a video call discussing the ongoing conflict in Ukraine. The link provided for the call generated an OAuth code, which the hackers then used to create another token, granting them access to Microsoft 365 accounts.The Role of OAuth in the Breach
OAuth, a widely used open standard for access delegation, allows users to grant third-party services access to their resources without sharing credentials. In this case, the attackers manipulated the OAuth flow to gain unauthorized access, highlighting a significant vulnerability in the protocol's implementation.Overlaps with Other Threat Actors
While UTA0352 and UTA0355 are not traditionally associated with Russian advanced persistent threat (APT) operations, researchers at Volexity discovered overlaps with other threat actors who have previously infiltrated Microsoft 365 accounts.Recommendations for Organizations
Volexity advises organizations to train users to be highly vigilant regarding unsolicited contact, especially if it arrives via secure messaging apps and requests that users click links or open attachments.A Pattern of Targeting Microsoft 365
This incident is part of a broader pattern of Russian state-backed hackers targeting Microsoft 365 accounts. In early 2024, Microsoft disclosed that a Russian hacking group gained access to some email accounts of its senior leadership team, as well as employees in its cybersecurity and legal departments. The attack began in late November 2023 and was discovered on January 12, 2024. (localnews8.com)The Importance of Vigilance
These incidents underscore the importance of vigilance and robust security measures in protecting sensitive information. Organizations must remain proactive in their cybersecurity efforts to mitigate the risks posed by sophisticated threat actors.In conclusion, the recent targeting of Ukraine-linked NGOs by Russian threat actors exploiting the OAuth protocol to compromise Microsoft 365 accounts highlights the evolving tactics of cyber adversaries. Organizations must stay informed and implement comprehensive security strategies to defend against such threats.
Source: SC Media Microsoft 365 access compromise sought by new Russian hacking campaign
