Microsoft announced last week that it had discovered a nationwide attack on its corporate systems by the state-sponsored Russian hackers behind the SolarWinds attack. Hackers were able to access the email accounts of some members of Microsoft's executive team and potentially spy on them for weeks or months.
While Microsoft didn't provide many details about how the attackers gained access in its initial SEC disclosure late Friday, the software maker has now released an initial analysis of how the hackers got past its security measures. It's also a warning that the same hacker group, known as Nobelium or by the weather-related nickname “Midnight Blizzard” that Microsoft refers to them, has targeted other organizations.
Nobelium initially reached Microsoft's systems via a password spray attack. This type of attack is a brute force attack in which hackers use a dictionary of potential passwords against accounts. Crucially, the attacked non-production test tenant account did not have two-factor authentication enabled. Nobelium “tailored its password spray attacks to a limited number of accounts and used a small number of attempts to evade detection,” Microsoft says.
Through this attack, the group “used its initial access to identify and compromise a legacy OAuth test application that had elevated access to the Microsoft corporate environment.” OAuth is a widely used open standard for token-based authentication. It is commonly used on the Internet to allow you to log in to applications and services without having to provide your password to a website. Think about websites where you might log in with your Gmail account – that's OAuth in action.
This expanded access allowed the group to create additional malicious OAuth applications and accounts to access Microsoft's corporate environment and eventually the Office 365 Exchange Online service, which provides access to email inboxes.
“Midnight Blizzard used these malicious OAuth applications to authenticate to Microsoft Exchange Online and attack the email accounts of Microsoft companies,” explains Microsoft's security team.
Microsoft has not disclosed how many of its corporate email accounts were compromised and compromised, but the company previously described it as “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and Employees in our cybersecurity, legal, and other functions.”
Microsoft also still hasn't disclosed an exact timeline for how long hackers have been spying on its executive team and other employees. The first attack took place in late November 2023, but Microsoft only discovered it on January 12th. This could mean that the attackers spied on Microsoft executives for almost two months.
Hewlett Packard Enterprise (HPE) announced earlier this week that the same hacking group had previously gained access to its “cloud-based email environment.” HPE did not name the vendor but said the incident was “likely related to the exfiltration of a limited number of vendors.” [Microsoft] SharePoint files as early as May 2023.”
The attack on Microsoft came just days after the company announced its plan to overhaul its software security following major Azure cloud attacks. It is the latest cybersecurity incident at Microsoft, after 30,000 organizations' email servers were hacked in 2021 due to a vulnerability in Microsoft Exchange Server and Chinese hackers used a Microsoft cloud exploit last year to hack U.S. emails. hacked the government. Microsoft was also at the center of the huge SolarWinds attack nearly three years ago, carried out by the same Nobelium group that was behind that embarrassing email attack on executives.
Microsoft's admission that there is no two-factor authentication on what is clearly an important test account is likely to cause a stir in the cybersecurity community. While this was not a Microsoft software vulnerability, it involved a series of poorly configured test environments that allowed the hackers to move through Microsoft's corporate network undetected. “How does a non-production test environment compromise the highest officials at Microsoft?” asked CrowdStrike CEO George Kurtz in an interview with CNBC earlier this week. “I think there’s a lot more to come.”
Kurtz was right, more has come out, but there are still some important details missing. Microsoft does claim that if the same testing environment were deployed outside of production today, “mandatory Microsoft policies and workflows would ensure that MFA and our active protections are enabled” to ensure better protection against these attacks. Microsoft has a lot more explaining to do, especially if it wants its customers to believe that it is truly improving the way it designs, builds, tests and operates its software and services to better protect itself from security threats.