Tom McElroy and Anders Nielsen - 乞讨、借用或偷窃.pdf

1、Beg,Borrow or StealTom McElroy&Anders NielsenMicrosoft Threat IntelligenceMicrosoft Threat IntelligenceMicrosoft Threat Intelligence Center(MSTIC)Protect Microsoft&our customersNation State&Criminal ActorsMicrosoft Threat IntelligenceWho is Secret Blizzard?The Problem with Initial AccessSecret Blizz

2、ards Initial Access HistorySecret Blizzard vs.Storm-0156Secret Blizzard vs.Storm-1919Secret BlizzardRussian FSBAlso known as:Turla,Snake,UAC-0003Targets:Central Government EntitiesGovernment Foreign AffairsGovernment Defense EntitiesNGOsMulti-Lateral ForumsUkrainian Military InterestsObjectives:Long

3、-term persistent network accessIntelligence collectionSupport to military operationsActivity includes:Multiple breaches into MFAsMicrosoft Threat IntelligenceThe Problem with Initial AccessIts hardPhishing&Valid CredentialsExploitation is harder,and when its easy,you have competitionIt takes timeBui

4、lding access can be slow18%success rate when Phishing(Trend Micro,2024)Novel Secret Blizzard Initial Access2008:Agent.btzUSB drive deployedUsed autoruns featureTargeted US DOD2010:Strategic Web InjectsWatering hole campaignHijacking webshellinstallationsWidespread infection2018:MosquitoTrojanized fl

5、ash installerA utilizedDiplomatic targets2019:OilRigHijacking Hazel Sandstorm operationsPoison Frog C2 takeoverNautilus/Dark NeuronActive scanning for shells2022:AndromedaRegistered old Andromeda domainsExisting USB infectionsWidespread deployment of Kopiluwak&KapushkaSpearphishingPassword SprayDevi

6、ce ExploitationEnduring ActivityStorm-0156Pakistan NexusAlso known as:APT36,Mythic Leopard,C-MajorTargets:Indian Government EntitiesAfghanistan Government EntitiesObjectives:Intelligence collectionMicrosoft Threat IntelligenceStorm-0156November 2022Initial access vector is unknownSecret Blizzard Acc