|2023-11-01 to 2024-01-12
|2023-11-01 to 2024-01-12
Leveraging an unused account, the Russian APT Midnight Blizzard was able to pivot into Microsoft’s corporate Office 365 to access the emails of key executives and cyber-security employees. Midnight Blizzard was searching for what information Microsoft knew about themselves.
Per Microsoft (emphasis mine):
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.
Mandiant has outlined a number of methods APT29 uses against Microsoft 365 customers. One passage on the above report from 2021 may be relevant:
Mandiant has begun to observe another trend where threat actors, including APT29, take advantage of the self-enrollment process for MFA in Azure Active Directory and other platforms. When an organization first enforces MFA, most platforms allow users to enroll their first MFA device at the next login. This is often the workflow chosen by organizations to roll out MFA. In Azure AD and other platform’s default configuration, there are no additional enforcements on the MFA enrollment process. In other words, anyone with knowledge of the username and password can access the account from any location and any device to enroll MFA, so long as they are the first person to do it.
The pivot from a test tenant to the Microsoft Corporate tenant involved fake OAuth applications:
Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes. (source)
Midnight Blizzard also used Exchange Web Services and residential IP addresses to disguise it’s activity.
|Late November, 2023
|Threat actor compromised a legacy account
|January 12, 2024
|Microsoft detects compromise of their corporate systems
|January 19, 2024
|Microsoft disclosed the incident in a SEC filing and on their blog
|January 25, 2024
|Microsoft reveals more about the trade craft used by APT29
Microsoft specifically placed the blame on Midnight Blizzard, otherwise known as Cozy Bear or APT29. This group attributed to the Russian SVR was believed to be responsible for the Solar Winds compromise and the DNC hack of 2015.
Hewlett Packard Enterprise disclosed a similar attack from Midnight Blizzard against their “cloud-based email environment.”
“we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”
To soon to tell. This is the second major incident of a nation-state compromising Office 365 mailboxes, after the 2023 compromise of the US State Department by China’s Storm-0558.
In its initial disclosure Microsoft states:
As we said late last year when we announced Secure Future Initiative (SFI), given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient. For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.
From the highlighted paragraph a number of very concerning things are presented: