Senior executives and managers with “access to valuable resources” are the targets of an ongoing Microsoft Azure cloud account takeover (ATO) campaign that has hit dozens of organizations, researchers say.
Proofpoint discovered the campaign in late November, the firm’s cloud security response team shared in a Monday post. The unidentified threat group behind the campaign was using individualized phishing lures, including malicious links in shared cloud documents, to snare its victims.
As well as targeting users with lofty job titles including “president and CEO”, “chief financial officer and treasurer”, or “vice president, operations”, the gang was also hunting out individuals with other roles including sales directors, account managers, and finance managers.
Accounts belonging to hundreds of individuals across the targeted environments had been compromised and the threat group’s intention appeared to be to infiltrate the decision-making hierarchy within the victim organizations.
“The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions,” the researchers said.
Proofpoint’s threat analysts identified a particular Linux user-agent that was an indicator of compromise (IOC) associated with the access phase of the group’s attacks: “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36”.
The gang utilized the user-agent to access Microsoft’s OfficeHome sign-in application and to gain unauthorized access to other Microsoft 365 apps including Office365 Shell WCSS-Client, Office 365 Exchange Online, My Sign-Ins, My Apps, and My Profile.
ATO opens the door to malicious activity
Once the threat group accessed account within the Azure environment, they were observed carrying out a range of malicious activities including multi-factor authentication (MFA) manipulation, data exfiltration, internal and external phishing, mailbox rule manipulation and financial fraud, the researchers said.
MFA manipulation involves attackers registering their own MFA methods to maintain persistent access to a compromised account.
“We have observed attackers choosing different authentication methods, including the registration of alternative phone numbers for authentication via SMS or phone call. However, in most MFA manipulation instances, attackers preferred to add an authenticator app with notification and code,” the researchers said.
“Mailbox access is leveraged to conduct lateral movement within impacted organizations and to target specific user accounts with personalized phishing threats,” they added.
“In an effort to perpetrate financial fraud, internal email messages are dispatched to target Human Resources and Financial departments within affected organizations.”
Links to Russia and Nigeria
The researchers said their forensic analysis had identified several proxies, data hosting services and hijacked domains that made up the threat group’s operational infrastructure.
They had also linked the group to certain fixed-line internet service providers including Russia-based Selena Telecom and Nigerian providers Airtel Networks and MTN Nigeria.
“While Proofpoint has not currently attributed this campaign to any known threat actor, there is a possibility that Russian and Nigerian attackers may be involved, drawing parallels to previous cloud attacks,” the researchers said.
