BLOGS & HACKS


Microsoft has released new information for responders dealing with the recent Russian nation-state attack that compromised its systems in January, along with guidance for users on how to combat this threat.

By Sharique

On January 12, 2024, Microsoft detected malicious activity on its network by “Midnight Blizzard” (also known as Nobelium, APT29, Cozy Bear), a Russian state-sponsored group specializing in espionage and intelligence gathering operations.

The initial access was gained by compromising a legacy, non-production test tenant account through password spray attacks. Subsequently, the group used the account’s permissions to access the email accounts of some of Microsoft’s senior leadership team.

Microsoft admitted that the test tenant account did not have multi-factor authentication (MFA) enabled.

Midnight Blizzard’s Obfuscation Techniques According to Microsoft’s recent post, Midnight Blizzard utilized residential proxy networks to launch its password spray attacks. This tactic routed traffic through numerous IP addresses also used by legitimate users, aiding in obfuscating their activity and facilitating the persistence of the attack until successful.

Microsoft pointed out that threat actors like Midnight Blizzard often employ OAuth applications to conceal their malicious activity. In this instance, the group leveraged its initial access to identify and compromise a legacy test OAuth application with elevated access to the Microsoft corporate environment.

The attackers then created a new user account to grant consent to additional malicious OAuth applications they had developed. This allowed them to utilize the legacy test OAuth application to grant themselves the Office 365 Exchange Online full_access_as_app role, gaining access to mailboxes.

Defense Strategies Against this Nation-State Attack Microsoft recommended several actions customers should take to mitigate the risk of falling victim to this type of attack:

Identify malicious OAuth applications: Customers should scrutinize all current highly privileged identities in their tenant, paying particular attention to privileges belonging to unknown or unused identities. Additionally, anomaly detection policies can help identify malicious OAuth apps, and conditional access app control should be implemented for users connecting from unmanaged devices. Protect against password spray attacks: Recommended measures include eliminating insecure passwords, implementing MFA, educating employees to review sign-in activity for suspicious attempts, and resetting account passwords for any targeted during a password spray attack. Enable identity alerts and protection: Microsoft Entra ID Protection offers various detections to help identify threat activity associated with the Midnight Blizzard attack, such as unfamiliar sign-in properties, password spray attacks, and suspicious sign-ins. Identify and investigate suspicious OAuth activity: Follow-on activities, including app API calls to the Exchange Web Services API after a credential update and suspicious users creating OAuth apps accessing mailbox items, may indicate a threat actor has leveraged OAuth applications in their attack. Microsoft emphasized that its investigation into the incident is ongoing and will provide further details as necessary.

In a regulatory filing on January 19, IT firm HPE stated its belief that Midnight Blizzard was responsible for a breach of its cloud-based email environment in May 2023. This breach allowed hackers to access HPE mailboxes belonging to individuals in its cybersecurity, go-to-market, business segments, and other functions.

On January 12, 2024, Microsoft detected malicious activity on its network by “Midnight Blizzard” (also known as Nobelium, APT29, Cozy Bear), a Russian state-sponsored group specializing in espionage and intelligence gathering operations.

The initial access was gained by compromising a legacy, non-production test tenant account through password spray attacks. Subsequently, the group used the account’s permissions to access the email accounts of some of Microsoft’s senior leadership team.

Microsoft admitted that the test tenant account did not have multi-factor authentication (MFA) enabled.

Midnight Blizzard’s Obfuscation Techniques According to Microsoft’s recent post, Midnight Blizzard utilized residential proxy networks to launch its password spray attacks. This tactic routed traffic through numerous IP addresses also used by legitimate users, aiding in obfuscating their activity and facilitating the persistence of the attack until successful.

Microsoft pointed out that threat actors like Midnight Blizzard often employ OAuth applications to conceal their malicious activity. In this instance, the group leveraged its initial access to identify and compromise a legacy test OAuth application with elevated access to the Microsoft corporate environment.

The attackers then created a new user account to grant consent to additional malicious OAuth applications they had developed. This allowed them to utilize the legacy test OAuth application to grant themselves the Office 365 Exchange Online full_access_as_app role, gaining access to mailboxes.

Defense Strategies Against this Nation-State Attack Microsoft recommended several actions customers should take to mitigate the risk of falling victim to this type of attack:

Identify malicious OAuth applications: Customers should scrutinize all current highly privileged identities in their tenant, paying particular attention to privileges belonging to unknown or unused identities. Additionally, anomaly detection policies can help identify malicious OAuth apps, and conditional access app control should be implemented for users connecting from unmanaged devices. Protect against password spray attacks: Recommended measures include eliminating insecure passwords, implementing MFA, educating employees to review sign-in activity for suspicious attempts, and resetting account passwords for any targeted during a password spray attack. Enable identity alerts and protection: Microsoft Entra ID Protection offers various detections to help identify threat activity associated with the Midnight Blizzard attack, such as unfamiliar sign-in properties, password spray attacks, and suspicious sign-ins. Identify and investigate suspicious OAuth activity: Follow-on activities, including app API calls to the Exchange Web Services API after a credential update and suspicious users creating OAuth apps accessing mailbox items, may indicate a threat actor has leveraged OAuth applications in their attack. Microsoft emphasized that its investigation into the incident is ongoing and will provide further details as necessary.

In a regulatory filing on January 19, IT firm HPE stated its belief that Midnight Blizzard was responsible for a breach of its cloud-based email environment in May 2023. This breach allowed hackers to access HPE mailboxes belonging to individuals in its cybersecurity, go-to-market, business segments, and other functions.

Leave a Comment