Tag Archive for: midnight

How ITDR Could Have Helped Microsoft in the Midnight Blizzard Hack

/in


Identity-based attacks are on the rise, but they can be prevented with the right identity threat detection and response (ITDR) measures. 

As winter crept in last year, so did identity threat actors. Microsoft revealed in January that the Russia-backed group Midnight Blizzard (aka Nobelium) had compromised senior-level email accounts and stolen sensitive information in a password-spraying attack dating back to November 2023. 

Thought to be affiliated with the Russian Foreign Intelligence Service, Midnight Blizzard performs espionage attacks on targets across the US and Europe. The group is perhaps best known for the SolarWinds hack in 2020 – a massive supply chain breach that affected thousands of organizations, including the US government. 

Midnight Blizzard’s latest attack on Microsoft was sophisticated but easily preventable. A protective layer of identity threat detection and response (ITDR) measures would have stopped the group from gaining a foothold in Microsoft’s corporate environment. In this blog, we’ll look at how. 

How It Happened

In late November 2023, Midnight Blizzard used a password-spraying attack to compromise an old Microsoft test account that didn’t have multifactor authentication (MFA) enabled. To avoid being detected or locked out of the system, the group used residential proxy networks to masquerade as legitimate users. It focused its attack on a small number of accounts. 

With a foothold in the system, Midnight Blizzard took over a legacy test OAuth application connected to Microsoft’s corporate environment and created more OAuth applications. It leveraged the privileges that came with these to grant itself the Microsoft 365 Exchange Online full_access_as_app role, which provided access to the entire 365 stack. In what Microsoft says was a bid to find information about itself, Midnight Blizzard then stole data, such as documents and emails from senior-level accounts. 

How It Was Discovered

“The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024,” Microsoft disclosed in an 8-K filing, “and immediately activated our response process to investigate, disrupt malicious activity, mitigate…

Source…

Microsoft hacked: Tech company reveals hack by Russia-backed group, Midnight Blizzard, or Nobelium

/in


CHICAGO — Microsoft revealed Friday that some of its corporate email accounts were hacked by a Russian-backed group.

The tech company said in a blog post that its security team detected the attack on Jan. 12 and quickly identified the group responsible: Midnight Blizzard, “the Russian state-sponsored actor also known as Nobelium.”

In late November, the group allegedly used a “password spray attack,” where a user uses a single common password against multiple accounts on the same application, to “compromise a legacy non-production test tenant account and gain a foothold,” according to Microsoft.

The group then “used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” the company said.

The hackers allegedly were targeting email accounts for information related to Midnight Blizzard, Microsoft said.

RELATED: Man says fraudulent accounts opened, home purchased in his name after city ransomware hack

Microsoft was able to remove the hacker’s access to the email accounts on Jan. 13, according to a company filing with the SEC.

“To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required,” the company said.

The company said it is in the process of informing its affected users.

The investigation is ongoing.

Copyright © 2024 ABC News Internet Ventures.

Source…

Analysis | The Cybersecurity 202: Disinformation threat pushes Doomsday Clock closer to midnight – The Washington Post

/in

Analysis | The Cybersecurity 202: Disinformation threat pushes Doomsday Clock closer to midnight  The Washington Post
“cyber warfare news” – read more