On January 12th, 2024, Microsoft discovered that Russian hackers breached its systems in November 2023 and stole email from their leadership, cybersecurity, and legal teams. The stolen emails contained information about the hacking group itself, giving the threat actors insight into what Microsoft knew about them.
According to Microsoft, the threat actors utilized residential proxies and password spraying brute-force attacks [T1110.003] to target a small number of accounts, including a legacy test account [T1078.002]. In this attack, the actor tailored their password spray attacks to a limited number of accounts with a low number of attempts to avoid detection and account blocks.
It was initially questioned whether multi-factor authentication (MFA) was enabled on the test account and how it had enough privileges to spread laterally within the organization. Microsoft has confirmed that MFA was not enabled for the account, allowing the threat actors to access Microsoft's systems once they successfully brute-forced the password.
Microsoft also revealed that the test account had access to an OAuth application with elevated privileges in the corporate environment. This gave the threat actors the ability to create additional OAuth applications and gain access to other corporate mailboxes. As a result of their investigation, Microsoft has identified that the same actor has targeted other organizations and has begun notifying these targeted organizations.
Microsoft has provided extensive detection and hunting methods in its latest post to aid defenders in identifying attacks by APT29 and blocking their malicious activity.
They advise focusing on identity, XDR, and SIEM alerts. The following scenarios are particularly suspicious for Midnight Blizzard activity:
Elevated activity in email-accessing cloud apps, suggesting potential data retrieval.
Spike in API calls post-credential update in non-Microsoft OAuth apps, hinting at unauthorized access.
Increased Exchange Web Services API usage in non-Microsoft OAuth apps, potentially indicating data exfiltration.
Non-Microsoft OAuth apps with known risky metadata, possibly involved in data breaches.
OAuth apps created by users from high-risk sessions, suggesting compromised account exploitation.
Multi-factor authentication serves as a crucial layer of defense, adding an additional verification step beyond passwords. Its absence, as in this case, can expose systems to heightened risks, as passwords alone may prove susceptible to brute-force attacks.
Moving forward, it's essential for organizations to prioritize the implementation and proper configuration of MFA across all relevant accounts and systems. This proactive measure significantly enhances the security posture, mitigating the impact of password-related vulnerabilities and offering an additional barrier against unauthorized access.
In response to this incident, it would be prudent for organizations to conduct a thorough security review, ensuring that MFA is not only enabled but also configured appropriately to maximize its effectiveness.
Also, educating users on the importance of strong, unique passwords and the value of multi-factor authentication can further fortify the overall security posture.
This incident serves as a reminder that cybersecurity is an ongoing and dynamic challenge, requiring continuous vigilance and adaptation to emerging threats. Implementing a comprehensive security strategy that includes MFA, regular security assessments, and user education is pivotal in safeguarding against evolving cyber threats.
1. Toulas, B. (2024, January 26). Microsoft reveals how hackers breached its Exchange Online accounts. BleepingComputer. https://www.bleepingcomputer.com/news/security/microsoft-reveals-how-hackers-breached-its-exchange-online-accounts/
How can CyberForce|Q services help you address this risk?
Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365 – reach out to firstname.lastname@example.org.
Learn more about CyberForce|Q.