On January 12, 2024, Microsoft detected an attack on their email systems and initiated their incident response protocol. Microsoft Security and Response concluded this attack was the handiwork of the Russian SVR (intelligence agency) that goes under various names from different threat intelligence vendors including Midnight Blizzard, Nobelium and APT29. There is no mistaking it-- the SVR is a well-funded and highly capable nation state adversary. Microsoft has been involved in efforts defending Ukraine against cyber attacks and it is believed the Midnight Blizzard actors were after emails from senior Microsoft officials to learn what they know about Russian cyber warfare capabilities.
More concerning, is Microsoft has information that other large companies have also been compromised and will be notifying affected companies. HPE disclosed previously in an SEC notice they were similarly compromised. With the new SEC regulations from last December, publicly listed companies are required to disclose material compromises in short order. More to come from this Midnight Blizzard campaign on which companies were affected.
Legacy Servers Played a Key Role
While much of the details, TTPs, and IOCs will be forthcoming in the days and weeks to come, there are some short term learnings we can take away from this incident, especially as it relates to small businesses. In its blog on the Midnight Blizzard incident from January 26th, Microsoft Security and Response Center noted that the adversary did not exploit a vulnerability in the M365 cloud tenant Microsoft uses for its own email. Rather, they exploited the existence of a "legacy test tenant" on the Microsoft network with an old fashioned password spray attack, and then used that foothold to access the production corporate tenant.
Let's unpack that a little. Microsoft did not provide much detail on this because frankly it seems to be an egg-on-face moment for them. While it's true that Midnight Blizzard/CozyBear is a well-funded nation state adversary, the techniques used to compromise did not require much sophistication. One truism of sophisticated adversaries is they don't burn zero-days when a simple password spray attack works.
Further, no need to go in the front door when the backdoor isn't well-secured or monitored. That's what this adversary did. They gained access to a legacy test tenant, perhaps an older instance of O365, attempted guessable passwords on accounts and yachtzee! got in.
Lessons Learned You Can Take Home
Adversaries, regardless of their capabilities, typically employ the simplest method necessary to achieve their objectives. In this case, rather than attack the production tenant which has better security measures, they found the legacy test tenant on the network and tried a password spray attack which was sufficient to gain access to an account. From there, they were able to leverage that account to gain access to the production tenant. So what did we learn?
Know what's on your network: we encounter legacy on-prem O365 tenants often in our network scans that are wide open. Often these are slated for deprecation, but they are still out there accepting network traffic. As such they are susceptible to attack. The lesson applies more generally, not just to O365. Any server, even IoT devices become staging points for attack. Default passwords are often not changed on IoT devices.
Decommission legacy devices: When it comes to critical infrastructure make sure you deprecate/decommission devices no longer in use. This will reduce your attack surface.
Implement MFA on all accounts: it appears that Microsoft made a critical error for its legacy tenant by not enforcing MFA. We consider user configuration another attack surface when we scan M365 for security exposures. The number one issue we find are legacy accounts and MFA not enabled on user (and super user) accounts.
Even the most well funded organizations make mistakes. Microsoft is not only the world's largest IT company, they are also the world's largest security company selling more security software and services than any other firm. In other words, they don't suffer from lack of talent, resources or security software. Even still they made basic mistakes that allowed an adversary to gain a foothold on the network and cause reputational damage. If Microsoft can make these errors, so will your organization. The take home lesson is not to assume all is squeaky clean. Rather, you need to continuously scan your network for attack surfaces for security exposures, because we know the adversary does.