Detecting Compromised Emails with Huntress MDR for Microsoft 365: Enhancing Cybersecurity
In the ever-evolving landscape of cybersecurity threats, email remains one of the most common vectors for attacks. Cybercriminals continuously refine...
1 min read
Veroot Cyber Team : Jan 22, 2024 1:29:51 PM
“Star Blizzard” (aka Seaborgium, BlueCharlie, Callisto Group, Coldriver) has been actively involved in cyber espionage since 2017, concentrating its efforts on public and private organizations in NATO member countries, particularly in the fields of politics, defense, and related sectors.
Noteworthy is its recent focus on individuals and organizations providing support for Ukraine. Despite its successful cyber breaches, Star Blizzard is equally recognized for operational security failures.
Microsoft disrupted the group in August 2022, prompting Recorded Future to monitor its attempts to shift to new infrastructure.
In its latest evasion efforts, Star Blizzard has adopted five primary tactics, notably utilizing email marketing platforms for phishing. The group employs password-protected PDF lure documents and cloud-based file-sharing platforms to bypass email filters.
To obstruct human analysis, they use a domain name service (DNS) provider as a reverse proxy and incorporate server-side JavaScript snippets to impede automated scanning of their infrastructure.
Star Blizzard also employs a more randomized domain generation algorithm (DGA) to complicate pattern detection. Despite these tactics, Microsoft notes certain defining characteristics in Star Blizzard’s domains, including registration with Namecheap, similar naming conventions, and TLS certifications from Let’s Encrypt.
A significant shift in their strategy involves the use of email marketing services such as Mailerlite and HubSpot to direct phishing campaigns.
This enables the creation of dedicated subdomains for redirection and facilitates the establishment of URLs, acting as entry points to a redirection chain ending at actor-controlled Evilginx server infrastructure.
The group’s innovative approach combines cloud-based platforms, virtual private servers (VPS), and server-side scripts, enhancing their ability to redirect victims selectively.
Recorded Future highlights the group’s success in targeting think tanks, research organizations, and UK government officials, showcasing the evolving and impactful nature of Star Blizzard’s cyber operations.
“Their use of cloud-based platforms like HubSpot, MailerLite, and virtual private servers (VPS) partnered with server-side scripts to prevent automated scanning is an interesting approach,” explains Recorded Future Insikt Group threat intelligence analyst Zoey Selman, “as it enables BlueCharlie to set allow parameters to redirect the victim to threat actor infrastructure only when the requirements are met.”
At Veroot, we aim to emphasize the escalating nature of phishing campaigns orchestrated by threat actors. Our services offer comprehensive phishing training to enhance awareness within your team. Should this be of interest to your organization, please feel free to contact us by clicking the below link.
In the ever-evolving landscape of cybersecurity threats, email remains one of the most common vectors for attacks. Cybercriminals continuously refine...
Cyber Incident Response Reporting Catalogue and report the breach.
In a recent study conducted by researchers from Colorado State University, Electronic Logging Devices (ELDs) have been identified as significant...