Microsoft network breached through password-spraying by Russian-state hackers

Photo of author

By Sedoso Feb


Microsoft network breached through password-spraying by Russian-state hackers
Enlarge
Getty Images

Russia-state hackers exploited a weak password to compromise Microsoft’s corporate network and accessed emails and documents that belonged to senior executives and employees working in security and legal teams, Microsoft said late Friday.

The attack, which Microsoft attributed to a Kremlin-backed hacking group it tracks as Midnight Blizzard, is at least the second time in as many years that failures to follow basic security hygiene has resulted in a breach that has the potential to harm customers. One paragraph in Friday’s disclosure, filed with the Securities and Exchange Commission, was gobsmacking:

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.

Microsoft didn’t detect the breach until January 12, exactly a week before Friday’s disclosure. Microsoft’s account raises the prospect that the Russian hackers had uninterrupted access to the accounts for as long as two months.

A translation of the 93 words quoted above: A device inside Microsoft’s network was protected by a weak password with no form of two-factor authentication employed. The Russian adversary group was able to guess it by peppering it with previously compromised or commonly used passwords until they finally landed on the right one. The threat actor then accessed the account, indicating that either 2FA wasn’t employed or the protection was somehow bypassed.

Furthermore, this “legacy non-production test tenant account” was somehow configured so that Midnight Blizzard could pivot and gain access to some of the company’s most senior and sensitive employee accounts.

As Steve Bellovin, a computer science professor and affiliate law prof at Columbia University with decades of experience in cybersecurity, wrote on Mastodon:

A lot of fascinating implications here. A successful password spray attack suggests no 2FA and either reused or weak passwords. Access to email accounts belonging to “senior leadership… cybersecurity, and legal” teams using just the permissions of a “test tenant account” suggests that someone gave that test account amazing privileges. Why? Why wasn’t it removed when the test was over? I also note that it took Microsoft about seven weeks to detect the attack.

While Microsoft said that it wasn’t aware of any evidence that Midnight Blizzard gained access to customer environments, production systems, source code, or AI systems, some researchers voiced doubts, particularly about whether the Microsoft 365 service might be or have been susceptible to similar attack techniques. One of the researchers was Kevin Beaumont, who has had a long cybersecurity career that has included a stint working for Microsoft. On LinkedIn, he wrote:

Microsoft staff use Microsoft 365 for email. SEC filings and blogs with no details on Friday night are great.. but they’re going to have to be followed with actual detail. The age of Microsoft doing tents, incident code words, CELA’ing things and pretending MSTIC sees everything (threat actors have Macs too) are over — they need to do radical technical and cultural transformation to retain trust.

CELA is short for Corporate, External, and Legal Affairs, a group inside Microsoft that helps draft disclosures. MSTIC stands for the Microsoft Threat Intelligence Center.

A Microsoft representative said the company declined to answer questions, including whether basic security practices were followed.

The breach is reminiscent of one that hit Microsoft last year when China-state hackers, tracked as Storm-0558, broke into Microsoft’s network. Over the next month, the group accessed Azure and Exchange accounts belonging to multiple customers, several of which belonged to the US Departments of State and Commerce.

As I reported in September:

The corporate account of one of its engineers had been hacked. Storm-0558 then used the access to steal the key. Such keys, Microsoft said, are entrusted only to employees who have undergone a background check and then only when they are using dedicated workstations protected by multi-factor authentication using hardware token devices. To safeguard this dedicated environment, email, conferencing, web research, and other collaboration tools aren’t allowed because they provide the most common vectors for successful malware and phishing attacks. Further, this environment is segregated from the rest of Microsoft’s network, where workers have access to email and other types of tools.

Those safeguards broke down in April 2021, more than two years before Storm-0558 gained access to Microsoft’s network. When a workstation in the dedicated production environment crashed, Windows performed a standard “crash dump,” in which all data stored in memory is written to disk so engineers can later diagnose the cause. The crash dump was later moved into Microsoft’s debugging environment. The hack of a Microsoft engineer’s corporate account allowed Storm-0558 to access the crash dump and, with it, the expired Exchange signing key.

Normally, crash dumps strip out signing keys and similarly sensitive data. In this case, however, a previously unknown vulnerability known as a “race condition” prevented that mechanism from working properly.

Not to be outdone, an X (formerly Twitter) account belonging to Mandiant, the Google-owned security firm, was recently compromised. Mandiant later said that the breach resulted from a “brute force” attack on the account password. Mandiant didn’t elaborate. The explanation means that the password for that account was also weak and that the account wasn’t protected by 2FA.

The incident is prompting Microsoft to accelerate the implementation of a Secure Future Initiative that it first revealed last year.

“We are shifting the balance we need to strike between security and business risk—the traditional sort of calculus is simply no longer sufficient,” company officials wrote in Friday’s disclosure. “For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”

Source

Leave a Comment

jis jis jis jis jis jis jis jis jis