Microsoft has revealed that on January 12, 2024, they were attacked by a nation state. Here’s what happened next:
The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium.
And:
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.
The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.
This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.
So this “state sponsored” which in this case the state in question is Russia seeing as “Midnight Blizzard” is a Russian affiliated group were looking for info on themselves. Does that mean that they were worried about what Microsoft knew about them? I say that because this is the first time I have heard of a group hacking someone to find out information on themselves. Second, if you are wondering what a “password spay attack”, it’s defined as follows:
Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application. For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
This attack can be found commonly where the application or admin sets a default password for the new users.
This again highlights why passwords tend to be the one of the weak points when it comes to cybersecurity. But I digress.
The fact that Microsoft was targeted in this manner is pretty brazen on the part of these threat actors. I for one will be interested to see what Microsoft says in terms of what these threat actors did once they got in beyond what Microsoft has said, and what they might have taken.
Stay tuned to this space.
UPDATE: Carol Volk, EVP, BullWall had this comment:
“So how big do you have to be to be secure? The apparent lack of 2FA and/or weak passwords by Microsoft’s senior staff allowed the Russian hacking group Midnight Blizzard to read their emails, and that’s the point here, anyone and everyone is vulnerable. It’s not just the zero-days that get you, it’s just that one hole in your defenses. In this case an old fashioned “password spray attack” worked just fine to let attackers in to read management emails.
“Microsoft is lucky this time, as apparently the gang was searching emails to see what MS was saying about them. They could have just as easily stolen or destroyed the data. Attackers can always find a way into a network, so regular air gapped backups and a rapid response ransomware containment system should be part of the complete defensive stack.”
Mark B. Cooper, President & Founder, PKI Solutions follows with this:
“The continued use of passwords will always lead to more security breaches like Microsoft experienced. This is especially true when test/non-production accounts are expected to be used for a short period of time or won’t be used to access confidential information and are allowed to have weak security controls. A strong identity and encryption standard that covers all identities, temporary or otherwise, is the only way to stem the tide of password breaches. Stronger technology like mutual authentication certificates and security tokens have been around for decades, but it has been traditionally easy to dismiss the complexity or operational challenges as an excuse not to secure an enterprise the way it should.”
Microsoft Introduces VASA-1…. Which Might Not Be The Best Thing For Us Humans Just Yet
Posted in Commentary with tags Microsoft on April 19, 2024 by itnerdFrom the “this might not be a good idea” department comes the announcement by Microsoft of VASA-1. Here’s the TL:DR on this:
We introduce VASA, a framework for generating lifelike talking faces of virtual charactors with appealing visual affective skills (VAS), given a single static image and a speech audio clip. Our premiere model, VASA-1, is capable of not only producing lip movements that are exquisitely synchronized with the audio, but also capturing a large spectrum of facial nuances and natural head motions that contribute to the perception of authenticity and liveliness. The core innovations include a holistic facial dynamics and head movement generation model that works in a face latent space, and the development of such an expressive and disentangled face latent space using videos. Through extensive experiments including evaluation on a set of new metrics, we show that our method significantly outperforms previous methods along various dimensions comprehensively. Our method not only delivers high video quality with realistic facial and head dynamics but also supports the online generation of 512×512 videos at up to 40 FPS with negligible starting latency. It paves the way for real-time engagements with lifelike avatars that emulate human conversational behaviors.
I’ll get to why I am lukewarm at best with this. But first, let’s see what Kevin Surace, Chair, Token has to say on this:
Before Microsoft there have already been several other demonstrations of animating single face images and cloning voices. So we have been able to experience this for many months. Microsoft’s entry here is excellent and state of the art across all models I have seen. The implications for personalizing emails and other business mass communication is fabulous. Even animating older pictures as well. To some extent this is just fun and to another it has solid business applications we will all use in the coming months and years.
Of course one can replace a live webcam with a virtual version of yourself especially when you have a bad hair day. But of course the images we see today are already a digital reproduced image of you. Meaning the webcam is gathering pixels processing them compressing them sending them across the country and recomposing it on someone’s screen. This is arguably the next extension of that by manipulating the pixels in real-time so that you can truly look your best. And its still your voice and your words.
All synthetic media is democratizing what Hollywood could do with CGI for many years. All of this will lead to low cost content creation at a scale we have never seen. And that’s great for creators…even if overloading for the viewers.
Of course we continue down a road of being able to produce more convincing deep fakes at many levels. Arguably that train left the station when Photoshop was introduced. This continues to take us closer to perfect video and audio representations of ourselves with and without our permission. Of course the major models will include a watermark stating this is AI generated. But in time open source models will emerge which don’t.
We have been photoshopping ourselves for decades. Improving our looks and erasing blemishes. Is that ethical? Where does it become unethical? We all want to be and look our best. And multiply ourselves. When used properly by us, this tech does that amazingly well.
CS and entertainment are obvious. As is marketing and mass communications. Its basically a digital twin of ourselves or perhaps of our relative or a coworker (all with permission). How about birthday cards fully customized for you from a celebrity? Or when you are sick sending a video of you looking your best? Its all becoming possible and will be right in our pockets in the coming year.
Here’s my $0.02 worth. I can see scenarios where the following can happen:
I think that Microsoft needs to demonstrate and speak to how they will gatekeep this so that it’s used with the best of intentions rather than the worst of intentions. That would take me from being lukewarm to something more positive.
Leave a comment »