Microsoft revealed last week that it had discovered that its corporate systems had been compromised by Russian state-backed hackers who were behind the SolarWinds attack. Hackers were able to access the email accounts of some members of Microsoft's senior leadership team, potentially monitoring them for weeks or months.
While Microsoft didn't provide many details about how attackers gained access in its first disclosure to the Securities and Exchange Commission late Friday, the software maker has now released a preliminary analysis of how hackers breached its security protections. Microsoft also warned that the weather-themed hacking group, known as Nobelium or "Midnight Blizzard," as Microsoft calls it, has been attacking other organizations.
Nobelium initially gained access to Microsoft systems via a password spray attack. This attack is a brute force attack in which hackers use a dictionary of potential passwords to attack an account. On top of that, the compromised non-production test tenant account did not have two-factor authentication enabled. Microsoft said Nobelium "tailored its password spray attack to target a limited number of accounts, using a smaller number of attempts to evade detection."
In this attack, the group "leveraged its initial access to identify and compromise a legacy test OAuth application that had advanced access into Microsoft's enterprise environment." OAuth is a widely used open standard for token-based authentication. It's commonly used across the web to let you log into apps and services without giving your password to a website. Think about the websites you might log into using your Gmail account. This is where OAuth comes into play.
Elevated access allowed the group to create more malicious OAuth applications and create accounts to access Microsoft's enterprise environment and ultimately its Office 365 Exchange Online service, thereby gaining access to email inboxes.
Microsoft's security team explains: "MidnightBlizzard leverages these malicious OAuth applications to authenticate Microsoft Exchange Online and Microsoft business email accounts.
Microsoft has not disclosed how many corporate email accounts were targeted and accessed, but the company has previously described it as "a very small subset of Microsoft corporate email accounts, including members of our senior leadership team and employees in cybersecurity, legal and other functions."
Microsoft also still hasn't disclosed the exact timeline for how long the hackers monitored its senior leadership team and other employees. The initial attack occurred in late November 2023, but Microsoft was not aware of it until January 12. This could mean that the attackers have been spying on Microsoft executives for nearly two months.
Hewlett Packard Enterprise (HPE) revealed earlier this week that the same group of hackers had previously gained access to its "cloud-based email environment." HPE did not name the provider, but the company did reveal that the incident was "likely related" to a "limited number of [Microsoft] SharePoint file exfiltrations as early as May 2023."
The attack comes just days after Microsoft announced plans to overhaul its software security following a major attack on its Azure cloud. This is the latest cybersecurity incident that Microsoft has encountered. Previously, in 2021, 30,000 organizations' email servers were hacked due to a vulnerability in Microsoft Exchange Server. Last year, Chinese hackers invaded US government emails through a Microsoft cloud vulnerability. Microsoft was also at the center of the massive SolarWinds attack nearly three years ago, and the same Nobelium group was behind this embarrassing executive email attack.
Microsoft has admitted that its key test account lacks two-factor authentication, which may cause concern in the cybersecurity community. While this was not a vulnerability in Microsoft software, it was a poorly configured testing environment that allowed hackers to silently traverse Microsoft's corporate network. Earlier this week, CrowdStrike CEO George Kurtz asked in an interview with CNBC: "How did a non-production testing environment lead to the compromise of Microsoft's highest-level officials?" I think there is more to come. "
More information has been released, but some key details are still missing. Microsoft does claim that if the same non-production test environment were deployed today, "enforced Microsoft policies and workflows would ensure MFA and our proactive protections are enabled" to better protect against these attacks. Microsoft still has a lot to explain, especially if it wants to convince customers that it is truly improving the way its software and services are designed, built, tested and run to better protect against security threats.
learn more:
https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/