Attack by Nation State Actor Midnight Blizzard
On the 12th of January 2024, the Microsoft security team spotted a nation-state attack on our corporate networks which was exactly one week prior to Friday’s disclosure, and immediately launched our response technique in order to investigate, interrupt illegal activities, mitigate the breach, and prevent the threat actor additional access. Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium. It’s possible that the Russian hackers had unrestricted access to the accounts for up to two months based on Microsoft’s account of the event.
In a recent cybersecurity incident, it turned out that Russian state-sponsored hackers were able to gain access to Microsoft’s network. The attackers obtained illegal access to quite a few user accounts on the company’s network utilizing a technique called password spraying.
Midnight Blizzard observed activity and techniques
Initial access using password spray
Password spray attacks were employed by Midnight Blizzard to successfully compromise a legacy, non-production test tenant account that was disabled for multi-factor authentication (MFA). An intruder attempts to get into a lot of accounts using a limited selection of the most common or possible passwords in a password-spray attack. By focusing their password spray attacks on a select few accounts, the actor in this Midnight Blizzard operation avoided account blocking by making fewer tries to avoid discovery. This strategy was determined by the volume of failed attempts.
Malicious use of OAuth applications
The group identified and compromised a historical test OAuth application that had elevated access to the Microsoft corporate environment by using the access they obtained from the previous attack. A popular open standard for token-based authentication is OAuth. It’s a widely used online feature that lets you log into apps and services without providing your password to a website. Consider the websites you might visit using your Gmail account to log in and that is OAuth in action. The group was able to produce additional malicious OAuth apps and accounts thanks to this higher access, which also gave them access to Microsoft’s corporate network and, eventually, its Office 365 Exchange Online service, which gives users access to email inboxes.
Collection via Exchange Web Services
These malicious OAuth apps were employed by Midnight Blizzard to get access to Microsoft Exchange Online and target business email accounts from Microsoft.
Use of residential proxy infrastructure
Midnight Blizzard used residential proxy networks, guiding their traffic through a multitude of IP addresses that are also used by legitimate users, to communicate with the compromised tenant and, ultimately, with Exchange Online. This was one of their many attempts to conceal the origin of their attack. Although not a novel tactic, the rapid pace of IP address change brought about by Midnight Blizzard’s usage of residential proxies to mask connections renders standard indications of compromise (IOC)-based detection methods unfeasible.
Incident Overview
Inside Microsoft’s network, a device was secured with a weak password and no two-factor authentication mechanism. By repeatedly trying passwords that were either commonly used or already compromised, the Russian adversary group was able to guess it until they finally discovered the right one. The account was then gained by the threat actor.
Investigation Findings:
After using a password spray attack to get access to a legacy non-production test tenant account starting in late November 2023, the threat actor used the account’s permissions to access a very small number of Microsoft corporate email accounts, including those of our senior leadership team and staff members in our legal, cybersecurity, and other departments. From there, they exfiltrated some emails and the documents they attached. According to the inquiry, they were first trying to obtain information on Midnight Blizzard directly from email accounts. Employees whose emails were obtained are now being notified.
Conclusion:
To protect against these kinds of attacks, it is imperative that robust authentication systems, such as multi-factor authentication (MFA), be implemented and that strict password regulations be enforced. The event makes clear the ongoing and changing danger presented by Russian hackers. Microsoft stays on the lookout for cybersecurity threats to its network and customers, and it is making investments in enhancing its security posture.
References:
Microsoft network breached through password-spraying by Russia-state hackers | Ars Technica
Midnight Blizzard: Guidance for responders on nation-state attack | Microsoft Security Blog