One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8620235 |
| Date de publication | 2024-12-05 18:22:13 (vue: 2024-12-05 19:08:42) |
| Titre | Snowblind: The Invisible Hand of Secret Blizzard |
| Texte | #### Targeted Geolocations - Pakistan - Afghanistan - India ## Snapshot Researchers at Lumen\'s Black Lotus Labs, in collaboration with Microsoft\'s Threat Intelligence Team, have uncovered that the Russian cyber-espionage group Turla, tracked by Microsoft as [Secret Blizzard](https://sip.security.microsoft.com/intel-profiles/01d15f655c45c517f52235d63932fb377c319176239426681412afb01bf39dcc), has been hijacking the infrastructure of the Pakistani threat actor Storm-0156 since December 2022. This campaign highlights Secret Blizzard\'s strategy of embedding itself in the operations of other threat actors to conduct espionage while avoiding attribution. ## Description Since gaining access to Storm-0156\'s command-and-control (C2) servers, Secret Blizzard leveraged this infrastructure to deploy custom malware, such as "TwoDash" and "Statuezy," targeting Afghan government networks. By April 2023, they escalated their operations by accessing Pakistani operators\' workstations, exfiltrating valuable data including credentials, exfiltrated files, and malware artifacts. This access enabled Secret Blizzard to appropriate tools like CrimsonRAT and Waiscot, which were later used in additional operations. CrimsonRAT, known for its deployment against Indian government and military targets, was repurposed to expand Secret Blizzard\'s collection efforts. Secret Blizzard operated by compromising 33 Storm-0156 C2 nodes, using them as pivot points for their espionage activities. They probably utilized advanced methods such as Remote Desktop Protocol (RDP) pivoting to identify new nodes and gather intelligence. Their operations were marked by persistent connections to Afghan networks via specific IP addresses tied to Secret Blizzard-controlled C2s. These connections were active for extended periods, with significant data transfers observed, suggesting a systematic collection strategy. Additionally, Secret Blizzard maintained operational security by frequently rotating their C2 infrastructure in 2024, further complicating attribution efforts. ## Microsoft Analysis and Additional OSINT Context Microsoft has observed that Secret Blizzard has used the tools and infrastructure of at least six other threat actors during the past seven years. While not unique, leveraging the access of other adversaries is a somewhat unusual attack vector for threat actors in general. Microsoft Threat Intelligence partnered with Black Lotus Labs to confirm that Secret Blizzard command-and-control (C2) traffic emanated from Storm-0156 infrastructure, including infrastructure used by Storm-0156 to collate exfiltrated data from campaigns in Afghanistan and India. Microsoft Threat Intelligence tracks Secret Blizzard campaigns and, when we are able, directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. Read Microsoft\'s blog on [Secret Blizzard compromising Storm-0156 infrastructure for espionage](https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/) for further information on this campaign. ## Recommendations ### Strengthen Microsoft Defender for Endpoint configuration - Microsoft Defender XDR customers can implement [attack surface reduction rules](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-deployment-implement) to harden an environment against techniques used by threat actors - [Block execution of potentially obfuscated scripts](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference#block-execution-of-potentially-obfuscated-scripts) - [Block process creations originating from PSExec and WMI commands](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference#block-process-creations-originating-from-psexec-and-wmi-commands) - [Block executable files from running] |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 0156 2022 2023 2024 2024** 2147125841 365/security/defender 3awin64/twodash 4#execution 4#module able abuse access accessed accessing action active activities activity activity: actor actors additional additionally addresses advanced adversaries afghan afghanistan against age alert alerts all also analysis antivirus antivirus any appropriate apps april are artifacts assembly associated attack attribution automated avoiding backdoor:msil/crimsonrat backdoor:win64/wainscot been black blizzard blizzard/ block blocks blog breaches browsers c2s campaign campaigns can ccbh changes cloud collaboration collate collection com/defender com/en com/intel com/microsoft com/powershell/scripting/security/security com/snowblind command commands complicating compromised compromising conditions conduct configuration configure configure confirm connections content context control controlled copyright cover creation creations credentials crimsonrat criterion custom customers cyber data december defender delivered dender deploy deployment description desktop detect detected detection detections/hunting detects dha dha&threatid= directly distribution dll does drivers during edge efforts emanated embedding enable enabled encourage encyclopedia endpoint endpoint/attack endpoint/automated endpoint/cloud endpoint/configure endpoint/detect endpoint/edr endpoint/enable endpoint/prevent endpoint/web ensure environment environments equivalent escalated espionage espionage/ even evolving executable execution exfiltrated exfiltrating expand exploited extended features file fileprocess files following freeloader frequently from full further gaining gather general geolocations government group hand harden has have help highlights hijacking host however https://blog https://learn https://sip https://www identifies identify immediate implement implement including india indian indicate information infrastructure intelligence investigation investigations invisible in its itself known labs later least let leveraged leveraging like list load loaded logging lotus lumen maintained malicious malware malware: manage marked meet methods microsoft might military mode module monitor mtb name=backdoor:msil/crimsonrat name=backdoor:win64/wainscot name=trojan:msil/reverserat name=trojandownloader necessary net network networks new nodes non not note notifies obfuscated observed on operated operating operational operations operators originating osint other overview pakistan pakistani part partnered passive past periods permission persistent phishing pivot pivoting points policies policy potentially powershell powershell prevalence probably process product profiles/01d15f655c45c517f52235d63932fb377c319176239426681412afb01bf39dcc prohibited protection protection#how protocol providing psexec pua queries rapidly rdp real recommendations reducing reduction reference reference#block references related remediation remote reproduction repurposed researchers reserved resolve response rights rotating rules run running russian scam script scripts secret secure security servers settings seven signed significant significantly since site sites six smartscreen snapshot snowblind: somewhat specific statuezy storm strategy strengthen such suggesting support surface suspicious systematic take tamper targeted targeting targets team techniques that secret them thereof these threat tied time tools tracked tracks traffic transfers triggered trojan:msil/reverserat trojan:win32/minipocket trojan:win32/statuezy trojan:win32/tinstrut trojan:win32/tinyturla trojan:win64/postgallery trojan:win64/tinyturla trojan:win64/twodash trojandownloader:win64/twodash trojanspy:msil/crimsonrat trusted turla turn twodash uncovered under unexpected unique unless unrelated unusual unwanted us/security/blog/2024/12/04/frequent us/wdsi/threats/malware use used users using utilized valuable vector view=o365 view=powershell volume vulnerable waiscot web webshell websites when which who without wmi workstations worldwide#block written xdr years your in is lumen read |
| Tags | Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.