Microsoft has released guidance on how to address the recent Russian nation-state attack that compromised its systems [6]. This attack, carried out by Russian threat actors known as Midnight Blizzard, Nobelium [2], APT29 [2], or Cozy Bear [1] [2], targeted global organizations [2], primarily in the US and Europe [2], including governments [2], diplomatic entities [2], NGOs [2], and IT service providers [2]. The attackers aimed to obtain sensitive data that could be valuable to the Russian government.

Description

The initial attack vector involved a legacy test tenant without multi-factor authentication [4], which was accessed through a password-spray attack. By analyzing Exchange Web Services (EWS) logs and identifying the behaviors of the threat group, organizations can enhance their defense against state-sponsored attacks [5]. The attackers then compromised an OAuth app with elevated access to the Microsoft corporate environment [1] [4], allowing them to create additional OAuth applications and a user account with consent in Microsoft’s systems [4]. Through the use of the legacy test OAuth application [4], the attackers gained full access to Office 365 Exchange Online mailboxes [4]. The attack lasted approximately four weeks, during which the attackers targeted information related to their own group. To carry out the attack, the attackers also utilized residential proxy networks and compromised user IP addresses [4]. Notably, Microsoft’s highly-positioned individuals [2], including senior executives and those in cybersecurity and legal departments [2], were specifically targeted. As a result, some emails and attached documents were stolen [2].

In response to this incident, Microsoft has provided guidance that includes steps to identify malicious OAuth applications and highly privileged identities [6], protect against password spray attacks [6], enable identity alerts and protection [6], and identify and investigate suspicious OAuth activity [6]. These measures aim to prevent unauthorized access and detect any suspicious activity associated with the attack [6]. Additionally, Hewlett Packard Enterprise disclosed that their email system was breached by the same hackers last year. However, the exact number of breached accounts and the information accessed or stolen has not been disclosed [3]. Microsoft has also issued a blog post to assist the industry in defending against this hacking group.

Conclusion

The recent Russian nation-state attack on Microsoft’s systems has raised concerns about the security of global organizations, particularly in the US and Europe. The attack targeted governments, diplomatic entities [2], NGOs [2], and IT service providers [2], with the goal of obtaining sensitive data for the Russian government. Microsoft’s guidance provides essential steps to enhance defense against state-sponsored attacks, including identifying malicious OAuth applications [6], protecting against password spray attacks [6], enabling identity alerts and protection [6], and investigating suspicious OAuth activity [6]. The breach of Hewlett Packard Enterprise’s email system further highlights the need for increased vigilance and security measures. As the threat landscape continues to evolve, it is crucial for organizations to remain proactive in their efforts to prevent unauthorized access and detect any suspicious activity associated with these attacks.

References

[1] https://me.pcmag.com/en/security/21686/russian-hackers-that-infiltrated-microsoft-also-targeted-other-companies
[2] https://www.techradar.com/pro/security/abuse-of-residential-proxy-services-password-spray-key-to-midnight-blizzard-attacks-warns-microsoft-heres-what-that-means-for-you
[3] https://www.yahoo.com/news/microsoft-says-russian-hackers-targeted-160321496.html
[4] https://www.itnews.com.au/news/russian-threat-group-crafted-malicious-oauth-apps-to-breach-microsoft-604516
[5] https://winbuzzer.com/2024/01/29/microsoft-details-exchange-online-breach-techniques-used-by-russian-state-sponsored-hackers-xcxwbn/
[6] https://www.infosecurity-magazine.com/news/microsoft-defense-guidance/