The IT Nerd

Microsoft has revealed that on January 12, 2024, they were attacked by a nation state. Here’s what happened next:

The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium.

And:

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.  

The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.  

This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.

So this “state sponsored” which in this case the state in question is Russia seeing as “Midnight Blizzard” is a Russian affiliated group were looking for info on themselves. Does that mean that they were worried about what Microsoft knew about them? I say that because this is the first time I have heard of a group hacking someone to find out information on themselves. Second, if you are wondering what a “password spay attack”, it’s defined as follows:

Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application. For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.

This attack can be found commonly where the application or admin sets a default password for the new users.

This again highlights why passwords tend to be the one of the weak points when it comes to cybersecurity. But I digress.

The fact that Microsoft was targeted in this manner is pretty brazen on the part of these threat actors. I for one will be interested to see what Microsoft says in terms of what these threat actors did once they got in beyond what Microsoft has said, and what they might have taken.

Stay tuned to this space.

UPDATE: Carol Volk, EVP, BullWall had this comment:

   “So how big do you have to be to be secure? The apparent lack of 2FA and/or weak passwords by Microsoft’s senior staff allowed the Russian hacking group Midnight Blizzard to read their emails, and that’s the point here, anyone and everyone is vulnerable. It’s not just the zero-days that get you, it’s just that one hole in your defenses. In this case an old fashioned “password spray attack” worked just fine to let attackers in to read management emails.

   “Microsoft is lucky this time, as apparently the gang was searching emails to see what MS was saying about them. They could have just as easily stolen or destroyed the data. Attackers can always find a way into a network, so regular air gapped backups and a rapid response ransomware containment system should be part of the complete defensive stack.”

Mark B. Cooper, President & Founder, PKI Solutions follows with this:

   “The continued use of passwords will always lead to more security breaches like Microsoft experienced. This is especially true when test/non-production accounts are expected to be used for a short period of time or won’t be used to access confidential information and are allowed to have weak security controls. A strong identity and encryption standard that covers all identities, temporary or otherwise, is the only way to stem the tide of password breaches. Stronger technology like mutual authentication certificates and security tokens have been around for decades, but it has been traditionally easy to dismiss the complexity or operational challenges as an excuse not to secure an enterprise the way it should.”

This entry was posted on January 20, 2024 at 9:00 am and is filed under Commentary with tags Hacked, Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.