Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label DNS hijacking threat. Show all posts
SOHO router security
Cyber Attacks DNS hijacking threat Fancy Bear cyberattack Forest Blizzard hackers Microsoft router attack SOHO router security

Microsoft Warns of Russian-Linked Router Attacks Escalating Into Cloud Service Breaches

 

Cybercriminals have long targeted poorly secured routers in personal and small office/home office (SOHO) environments, but a newly uncovered campaign has taken this threat to another level. According to Microsoft, attackers are no longer limiting themselves to device compromise—they are now leveraging these breaches to infiltrate widely used cloud platforms.

A well-known Russian state-backed hacking group, Forest Blizzard—also tracked as Storm-2754 or Fancy Bear—has once again been identified targeting internet-facing devices. The group has spent recent months attempting to infiltrate thousands of personal and SOHO routers. Once access was obtained, the attackers used these devices as stepping stones for broader cyber operations.

Insights from Microsoft’s Threat Intelligence team reveal that the campaign has been active since at least August 2025. During this period, Forest Blizzard conducted widespread attacks on thousands of routers, impacting over 200 organizations and approximately 5,000 consumer devices. A key tactic involved altering DNS configurations on compromised routers, allowing attackers to maintain persistent access and monitor DNS traffic.

Microsoft analysts noted that the group used hijacked routers to reroute internet traffic through malicious DNS infrastructure. This setup enabled more advanced man-in-the-middle operations—referred to as adversary-in-the-middle attacks—targeting Microsoft 365 services. In these attacks, fraudulent DNS servers could deliver invalid TLS certificates, which many users ignored as routine browsing issues. Without proper encryption, attackers could intercept unprotected web traffic and extract sensitive Microsoft 365 data.

Such MiTM/AiTM attacks can expose critical account credentials, potentially compromising large organizations and strengthening the attackers’ ongoing campaigns. The stolen data could also be used to launch further cyberattacks, including malware deployment or denial-of-service disruptions.

Microsoft has outlined several mitigation strategies for both individuals and enterprises. Modern Windows systems now include protections against DNS hijacking, such as Zero Trust DNS and enhanced safeguards within Microsoft Defender. The company’s security tools are designed to identify activity linked to Forest Blizzard / Storm-2754 and alert users in real time.

For organizations, additional layers of defense—such as Entra ID Protection and multi-factor authentication—are strongly recommended. Businesses are also advised to avoid relying on home routers within corporate networks. Instead, remote and hybrid work environments should be secured through centralized identity management systems to reduce exposure to such threats.
Read more »
Subscribe to: Comments (Atom)