How did the attackers get into Microsoft's cybersecurity department? Because of the lack of multi-factor authentication and the use of a standard password, as Microsoft itself must now admit.
advertisement
Background: A few days ago, Microsoft announced that the Russian-backed Midnight Blizzard group had successfully accessed emails from security employees. The criminals, also known as Nobelium, have been targeting Microsoft since the end of November 2023 and have managed to steal data from executives during this time. Their primary goal: to steal information about their group stored at Microsoft.
This is not how you do it
But how could this happen in the cybersecurity department of all places? Microsoft has now published details of the approach that will encourage other organizations to improve their security infrastructure. Midnight Blizzard was already known to use password spraying. Attackers use a limited number of passwords, but these are the most common or most likely to be used. In other words: you can start with a standard password.
By restraining themselves and hiding behind a proxy infrastructure, criminals were able to avoid early detection. However, this should usually not be enough, as Microsoft itself encourages the standard use of multi-factor authentication. The password in Nobelium's hands should not be enough. However, the company itself is now describing how this simply did not activate in the old test renter's account. Through this, Midnight Blizzard gained initial access.
Thanks to the legacy OAuth testing application, the attackers were then able to provide themselves with higher access rights and set up their own OAuth applications and their own access. By providing them with the appropriate Exchange Online rights, they can use them to access emails from other mailboxes.
There were no weaknesses, nor were they necessary
Once the attack became known, Microsoft confirmed that Midnight Blizzard did not exploit any vulnerabilities. Instead, the testing system was hacked. However, it is not yet known what security measures Microsoft itself has not implemented. It remains unclear whether Microsoft discovered the attack by the same group on HPE, which became known shortly afterwards, with the company only stating that it notified other affected parties.
To help other organizations protect themselves from the same approach, Microsoft recommends that: They must be able to recognize malicious OAuth applications and defend against password spraying attacks. Details of the individual steps can be found in Microsoft's blog post. Microsoft also describes how administrators can detect such attacks.
(fu)
