Remember when Microsoft got pwned by Midnight Blizzard and Microsoft said this:
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.
The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.
Well, Microsoft has altered their tune. Now they’re saying this:
In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.
It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.
Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.
Shawn Loveland, COO, Resecurity had this to say:
It is well known that Microsoft expends significant resources to protect its assets. Their security posture is world-class. However, this example shows that even world-class security processes and technologies can be bypassed by threat actors ranging from opportunistic script kiddies to well-resourced state actors. Microsoft, as with most defenders, has become overly reliant on legacy technologies and processes, a digital version of the Maginot Line. Companies need to evolve to a defense in-depth strategy, which includes offensive defenses that incorporates what threat actors are doing and preparing for outside of their perimeter, which gives them visibility from the attacker’s perspective.
It will not surprise me if Microsoft changes its tune again when more information about what happened is discovered. While the ideal situation is not to get pwned in the first place, this incident illustrates why you need to really go deep into the weeds if you do get pwned.
Like this:
Like Loading...
Related
This entry was posted on March 8, 2024 at 3:40 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft Releases More Details On Being Pwned By Midnight Blizzard
Remember when Microsoft got pwned by Midnight Blizzard and Microsoft said this:
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.
The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.
Well, Microsoft has altered their tune. Now they’re saying this:
In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.
It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.
Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.
Shawn Loveland, COO, Resecurity had this to say:
It is well known that Microsoft expends significant resources to protect its assets. Their security posture is world-class. However, this example shows that even world-class security processes and technologies can be bypassed by threat actors ranging from opportunistic script kiddies to well-resourced state actors. Microsoft, as with most defenders, has become overly reliant on legacy technologies and processes, a digital version of the Maginot Line. Companies need to evolve to a defense in-depth strategy, which includes offensive defenses that incorporates what threat actors are doing and preparing for outside of their perimeter, which gives them visibility from the attacker’s perspective.
It will not surprise me if Microsoft changes its tune again when more information about what happened is discovered. While the ideal situation is not to get pwned in the first place, this incident illustrates why you need to really go deep into the weeds if you do get pwned.
Share this:
Like this:
Related
This entry was posted on March 8, 2024 at 3:40 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.