Microsoft revealed last week that it had detected a nation-state attack on its corporate systems from Russian state-sponsored hackers who were behind the SolarWinds attack. Hackers were able to access the email accounts of some members of Microsoft’s senior leadership team – potentially spying on them for weeks or months.
While Microsoft did not provide many details on how the attackers gained access in its initial SEC disclosure late Friday, the software maker has now published a preliminary analysis of how the hackers bypassed its security. It also warns that the same hacking group, known by Microsoft’s nickname Nobelium or the “Midnight Blizzard” weather-themed nickname, is targeting other organizations.
Nobelium initially gained access to Microsoft’s systems through a password spray attack. This type of attack is a brute force attack in which hackers use a dictionary of possible passwords against accounts. Importantly, the non-production test tenant account that was breached did not have two-factor authentication enabled. Microsoft says, Noblium “tailored its password spray attacks to a limited number of accounts, using a low number of attempts to avoid detection.”
With this attack, the group “leveraged its early access to identify and compromise a legacy test OAuth application that had increased access to Microsoft corporate environments.” OAuth is a widely used open standard for token-based authentication. It is commonly used across the web to let you sign in to applications and services on a website without giving out your password. Think about websites you can sign in to with your Gmail account, that’s where OAuth is implemented.
This advanced access allowed the group to create more malicious OAuth applications and create accounts to access Microsoft’s corporate environments and ultimately its Office 365 Exchange online service that provides access to email inboxes.
“Midnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts,” Microsoft’s security team explains.
Microsoft has not disclosed how many of its corporate email accounts were targeted and accessed, but the company previously described it as “a very small percentage of Microsoft corporate email accounts”, including members of our senior leadership team and our cyber security personnel. Security, legal, staff involved. And other works.”
Microsoft has still not disclosed the exact timeline for how long hackers had been spying on its senior leadership team and other employees. The initial attack occurred in late November 2023, but Microsoft became aware of it on January 12. This could mean that the attackers had been spying on Microsoft executives for about two months.
Hewlett Packard Enterprise (HPE) revealed earlier this week that the same group of hackers previously gained access to its “cloud-based email environment.” Apache did not name the provider, but the company revealed that the incident was related to “a possibly limited number of intrusions.” [Microsoft] SharePoint files until May 2023.”
The attack on Microsoft came as the company announced plans to improve its software security following major Azure cloud attacks. This is the latest cybersecurity incident to attack Microsoft, after a Microsoft Exchange server flaw led to the email servers of 30,000 organizations being hacked in 2021, and Chinese hackers broke into US government emails through a Microsoft cloud exploit last year. . Microsoft was also at the center of the massive SolarWinds attack nearly three years ago, which was carried out by the same Nobelium group behind this shameful executive email attack.
Apparently Microsoft’s admission about the lack of two-factor authentication on a key test account is likely to raise eyebrows in the cybersecurity community. Although this was not a Microsoft software vulnerability, it was a set of poorly configured testing environments that allowed hackers to quietly move into Microsoft’s corporate network. “How does a non-production test environment lead Microsoft’s most senior executives to compromise?”. asked CrowdStrike CEO George Kurtz in an interview with CNBC earlier this week. “I think there’s going to be a lot more to come on this.”
Kurtz was right, much more has been revealed, but there are still some key details missing. Microsoft claims that if this same non-production test environment were deployed today, “mandatory Microsoft policies and workflows would ensure MFA and our proactive security” to better protect against these attacks. Microsoft still needs a lot of explaining to do, especially if it wants its customers to trust that it’s actually being proactive in the way it designs, builds, tests, and operates its software and services to better protect against security threats. Is improving.