Forest Blizzard leverages router compromises to launch AiTM attacks, target Outlook sessions
Summary
The Russian threat actor Forest Blizzard is exploiting unsecured home and small-office routers to hijack DNS traffic. This allows them to conduct adversary-in-the-middle (AiTM) attacks, specifically targeting Microsoft Outlook web sessions by redirecting users to attacker-controlled infrastructure.
IFF Assessment
This is bad news for defenders because the exploitation of common, often unsecured, SOHO routers provides attackers with a broad attack surface and a stealthy method to intercept sensitive user sessions.
Defender Context
Defenders need to be aware of the risks associated with unsecured SOHO routers, which can be leveraged by sophisticated threat actors for widespread DNS hijacking and AiTM attacks. Organizations should implement stronger network segmentation, endpoint security, and monitor for unusual DNS activity and compromised devices within their extended network.