Vasyl Grigoriev, Lizard Soft GM
Denis Rozoumeiko, Lizard Soft Microsoft 365 Engineer

Due to the ongoing russian aggression against Ukraine and Microsoft's cooperation with global partners, the world is being faced an increase in cyber-attacks by russian state actors. They use different approaches and tools, convincing in the rapid development of cybercrime during the hybrid war. In this blog, we review the activities of the threat known as Cadet Blizzard, which is aimed at conducting destructive attacks, espionage, and information operations.

Who Cadet Blizzard are

Cadet Blizzard is a cyber group sponsored by the russian state and related to the Main Intelligence Directorate of the General Staff of the russian armed forces (aka GRU). According to Microsoft, Cadet Blizzard is separate from other well-known groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM), which are also affiliated with the GRU.

Microsoft has been tracking Cadet Blizzard since January 2022, but believes they have been active since 2020. Their operations include destructive attacks, espionage, and information operations on the systems of Ukraine and other countries.

As a Microsoft Certified Partner, Lizard Soft is actively working on cyber security issues and helping to protect against vulnerabilities such as those used by Cadet Blizzard.

Who the targets of Cadet Blizzard are

Cadet Blizzard operations are global, but most affect Ukraine, Europe, Central Asia, and occasionally Latin America. The main target sectors of cyber-attacks are online resources of government organizations and information technology providers in Ukraine. At the same time, organizations in Europe and Latin America also became targets.

How penetration occurs

Cadet Blizzard achieves initial access by exploiting vulnerabilities in web servers typically located on network perimeters and DMZs.

There are also known attacks on Confluence servers due to the CVE-2021-26084 vulnerability, Exchange servers due to several vulnerabilities, including CVE-2022-41040 and ProxyShell.

Cadet Blizzard uses web shells (such as P0wnyshell, reGeorg, PAS) as well as proprietary variants included in publicly available exploit kits to provide permanent access to the victim's network.

In addition, Cadet Blizzard criminals perform privilege escalation and credential harvesting using various techniques, such as LSASS storage, log storage, etc.

Vulnerabilities exploited

• Confluence CVE-2021-26084 servers’ vulnerability.
• Vulnerabilities in Exchange servers, including CVE-2022-41040 and ProxyShell.

Recommendations for protection against attacks

• Install the latest updates and security patches on the operating system. Make sure you have the latest version of your anti-virus software with the latest virus database updates. Use licensed software.
• Use centralized protection and monitoring tools, such as Microsoft Defender for Endpoint.
• Review all authentication activity for the remote access infrastructure, including accounts configured for one-factor authentication.
• Enable Multi-Factor Authentication (MFA) for all Users. Please note that basic MFA is available in almost all Microsoft 365 plans. Advanced capabilities can be obtained by purchasing Azure Active Directory Premium Plan 1 or higher.
• Enable controlled folder access (CFA) to prevent MBR/VBR modification.
• Block creation of processes spawned by PSExec and WMI commands to stop lateral traffic.
• Enable the protection provided by Microsoft Defender Antivirus or an equivalent product to combat the rapidly changing tools and methods of attackers.

The first steps in case of suspected system hacking

• Immediately notify your IT department and your trusted partner Lizard Soft. Please note, as part of our Premier Support contract with Microsoft
• Take measures to isolate compromised systems and networks.
• Change passwords and enable multi-factor authentication.
• Run an antivirus scan on all systems.
• Cooperate with investigative bodies and cyber security specialists to analyze and remediate the incident.

Lizard Soft closely monitors known cases of cyberattacks and analyzes known cases of penetration into IT systems.

We all understand that these attacks will not stop. Therefore, our task is to be prepared in advance: analyze the infrastructure, identify vulnerabilities, take measures to reduce risks, and always be one click away from cyber security specialists.

Do not wait for your data to be hacked, make it impossible: at your disposal the experience and knowledge of the world's best cyber security specialists such as Microsoft experts; and the most advanced cyber protection systems that Lizard Soft activates as part of the Premier Support contract with Microsoft.

Contact us to analyze and determine the next steps to maximize the security of your IT systems.

According to Microsoft.com