Category | Details |
---|---|
Threat Actors | Secret Blizzard (Russian nation-state actor) |
Campaign Overview | Secret Blizzard has used tools and infrastructure from at least six other threat actors for espionage operations. It has targeted South Asia, including Afghanistan and India. |
Target Regions | Afghanistan, India, South Asia |
Methodology | Leveraging tools from other threat actors (e.g., Storm-0156, Hazel Sandstorm, and others), deploying backdoors (e.g., TinyTurla, TwoDash), and using server-side compromises. |
Product Targeted | Government ministries, defense departments, embassies, defense-related companies, and VPN infrastructure. |
Malware Reference | TinyTurla, TwoDash, Statuezy, MiniPocket, CrimsonRAT, Wainscot |
Tools Used | ArsenalV2%, Storm-0156 C2 infrastructure, Arsenal server-side C2 tool, various backdoors and DLL-sideloading techniques |
Vulnerabilities Exploited | DLL-sideloading (credwiz.exe), server-side C2, vulnerabilities in legitimate tools (e.g., Credential Backup and Restore Wizard) |
TTPs | Backdoor deployment, lateral movement, espionage, use of compromised infrastructure, DLL-sideloading, peer-to-peer functionality, clipboard monitoring |
Attribution | CISA attributes Secret Blizzard to Russia’s FSB (Center 16). Secret Blizzard overlaps with Turla and other Russian threat actors. |
Recommendations | Strengthen Microsoft Defender configurations, block obfuscated scripts, implement attack surface reduction rules, enable PowerShell and endpoint protection monitoring. |
Source | Microsoft Threat Intelligence |
Read full article: https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply