blueteamsec

Likely state-sponsored threat actor is still targeting organisations with WhatsApp 🤳 + mail 📩 phishing in Europe 🇪🇺 in December. Goal is to get access to the Microsoft account of high value targets. Threat actor is particularly interested in people or organisations that run activities in Ukraine 🇺🇦. Up to now we identified likely or confirmed targets in NGOs and think-tanks mainly.

In December, threat actor notably leveraged an online profile using the "Janis Cerny" name, who pretends to be a diplomat working with the European Union. Associated mail sender is "janiscerny[@]seznam[.]cz", and WhatsApp profile/number is "[+42]0 735 596 5[65]".

Threat actor will engage with targets using both messaging apps (typically WhatsApp) and emails, offering to setup an important meeting. Mails will usually contain an invitation to an online meeting (typically, MS Teams), but the meeting link is replaced to trick the user into signing-in (using a MS device code flow which requires a manually entered and threat-actor-generated code). This will allow the threat actor to hijack the account. Similar campaigns and techniques have been previously documented by Volexity (who tracks the actor as "UTA0352") and Elastic.

source: https://www.linkedin.com/posts/drprr_likely-state-sponsored-threat-actor-is-still-activity-7407823036407709696-PG70/