Alert - Midnight Blizzard conducts targeted social engineering over Microsoft Teams

Number: AL23-013
Date: August 3, 2023

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On August 2, 2023, Microsoft Threat Intelligence published an advisoryFootnote 1 highlighting details of targeted social engineering Social engineeringThe practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or internet to trick people into revealing sensitive information. For example, phishing is a type of social engineering. activity by threat actor Midnight Blizzard (previously tracked by Microsoft as NOBELIUM) taking place over Microsoft Teams. Using previously compromised Microsoft 365 tenants renamed to appear as technical support entities, Midnight Blizzard steals credentials by sending messages over Teams to engage with users and bypass multifactor authentication AuthenticationA process or measure used to verify a users identity. (MFA) prompts.

While this campaign has affected fewer than 40 organizations globally, the Cyber Centre has received reports of attempts within Canada.

Suggested actions

The Cyber Centre recommends organizations:

  • Review the Microsoft advisory and look for indicators of compromise to determine if related activity has occurred. If activity has been detected and a compromise has occurred:
    • Reimage compromised systems.
    • Reset all potentially compromised credentials.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security ActionsFootnote 2 with an emphasis on the following topics.

  • Phishing Awareness. This includes both identification of phishing but also procedures on what to do if a phishing email is received.
  • Multi-factor Authentication.
    • Where feasible, implement phishing-resistant MFA like FIDO2 security keys, Windows Hello, and Certificate Based Auth.
  • Enforcing the Management of Administrative Privileges.
    • Minimize the number of administrators and privileged roles.
    • Conduct administrative activities on managed, hardened, and dedicated devices with restricted access to email, web browsing and outside connectivity.
    • Enable two-person integrity when resetting administrative accounts to minimize successful social engineering activities.
  • Remote Access Management and Controls.
    • Network segmentation and demilitarized zones (DMZs).
      • Configure firewalls to selectively control and monitor traffic passed between zones.
  • Implementing location and device based conditional access policies.
  • Software Management and Deployment Controls.
  • Business continuity planning, which is tested and validated.

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Date modified: