Microsoft sheds some light on Russian email heist – and how to learn from Redmond's mistakes
Step one, actually turn on MFA
Microsoft, a week after disclosing that Kremlin-backed spies broke into its network and stole internal emails and files from its executives and staff, has now confirmed the compromised corporate account used in the genesis of the heist didn't even have multi-factor authentication (MFA) enabled.
On Thursday, Redmond admitted Midnight Blizzard – a Moscow-supported espionage team also known as APT29 or Cozy Bear – "utilized password spray attacks that successfully compromised a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled."
A password-spray attack is where a miscreant tries to log into a number of accounts using one password, then waiting a while and trying again with another password, and repeating this over and over. It's a type of brute-force attack designed to avoid tripping monitoring systems that catch multiple failed logins to one account in a short period of time. Password spraying is more subtle, and when an account with a weak password is identified by the attackers, they can use that to start drilling into the IT estate.
After gaining initial access to a non-production Microsoft system, the intruders compromised a legacy test OAuth application that had access to the Windows giant's corporate IT environment. From there we're told:
The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.
The crew then used this access to steal emails and other files from corporate inboxes belonging to top Microsoft executives and other staff. Plus, we're told, Cozy Bear used residential broadband networks as proxies to make their traffic look like it was all legitimate traffic from work-from-home staff, since it was coming from seemingly real users' IP addresses.
- What Microsoft's latest email breach says about this IT security heavyweight
- HPE joins the 'our executive email was hacked by Russia' club
- Russians invade Microsoft exec mail while China jabs at VMware vCenter Server
- Guess the company: Takes your DNA, blames you when criminals steal it, can't spot a cyberattack for 5 months
In its disclosure Redmond also wants everyone to know that Midnight Blizzard targeted other organisations. HPE can attest to this, although at this point it's not clear how that intrusion was done.
Why are you waiting?
This is yet another proof point as to why everyone — especially global tech giants like Microsoft — should turn on MFA as soon as possible for all user accounts.
Microsoft declined to comment further on the intrusion, though a spokesperon did point The Register to a line in its earlier alert about the security breach that indicates it's going to fast-track MFA across the board:
"We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes."
The latest advisory from Microsoft includes guides for administrators on how to avoid being compromised in the same way the software goliath was hit. We'll leave it up to you as to whether or not to trust its advice but hey, at least some of us could learn from Redmond's mistakes.
As a recap: last Friday Redmond admitted the snoops, linked to Russia's foreign intelligence, "used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account's permissions to access a very small percentage of Microsoft corporate email accounts."
This all happened in late November, Microsoft didn't spot the intrusion until January 12, and the compromised email accounts included those of senior leadership and cybersecurity and legal employees.
Microsoft's disclosures turned the spotlight on the apparent insufficient MFA protection deployed within the IT titan, which, as US Senator Ron Wyden told The Register, is "inexcusable" and "would have prevented this latest attack."
Indeed Redmond itself claimed: "If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks."
According to Redmond's latest threat intelligence: "For Microsoft, this incident has highlighted the urgent need to move even faster."
Or, you know, review basic security hygiene across the whole shebang – and we know Microsoft has a sprawling mega-empire – every once in a while. ®