Press ESC to close

Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage

Category Details
Threat Actors Secret Blizzard (Russian nation-state actor)
Campaign Overview Secret Blizzard has used tools and infrastructure from at least six other threat actors for espionage operations. It has targeted South Asia, including Afghanistan and India.
Target Regions Afghanistan, India, South Asia
Methodology Leveraging tools from other threat actors (e.g., Storm-0156, Hazel Sandstorm, and others), deploying backdoors (e.g., TinyTurla, TwoDash), and using server-side compromises.
Product Targeted Government ministries, defense departments, embassies, defense-related companies, and VPN infrastructure.
Malware Reference TinyTurla, TwoDash, Statuezy, MiniPocket, CrimsonRAT, Wainscot
Tools Used ArsenalV2%, Storm-0156 C2 infrastructure, Arsenal server-side C2 tool, various backdoors and DLL-sideloading techniques
Vulnerabilities Exploited DLL-sideloading (credwiz.exe), server-side C2, vulnerabilities in legitimate tools (e.g., Credential Backup and Restore Wizard)
TTPs Backdoor deployment, lateral movement, espionage, use of compromised infrastructure, DLL-sideloading, peer-to-peer functionality, clipboard monitoring
Attribution CISA attributes Secret Blizzard to Russia’s FSB (Center 16). Secret Blizzard overlaps with Turla and other Russian threat actors.
Recommendations Strengthen Microsoft Defender configurations, block obfuscated scripts, implement attack surface reduction rules, enable PowerShell and endpoint protection monitoring.
Source Microsoft Threat Intelligence

Read full article: https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/

Disclaimer: The above summary has been generated by an AI language model

Source: Microsoft Threat Intelligence

Published on: December 4, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *