Microsoft has provided new details for responders to the Russian nation-state attack that compromised its systems earlier in January, and issued guidance for users on how to combat this threat.
On January 12, 2024, Microsoft detected malicious activity on its network by “Midnight Blizzard” (aka Nobelium, APT29, Cozy Bear), a Russian state-sponsored group that specializes in espionage and intelligence gathering operations.
Initial access was achieved by compromising a legacy, non-production test tenant account, through password spray attacks. The group then used the account’s permissions to access the email accounts of some of Microsoft’s senior leadership team.
The test tenant account did not have multi-factor authentication (MFA) enabled, the tech giant admitted.
How Midnight Blizzard Obfuscated its Attack
Microsoft’s latest post revealed that Midnight Blizzard used residential proxy networks to launch its password spray attacks.
This routed traffic through a vast number of IP addresses that are also used by legitimate users, helping “ensure the actor obfuscated their activity and could persist the attack over time until successful.”
Microsoft noted that threat actors like Midnight Blizzard often use OAuth applications to help hide their malicious activity. In this case, the group leveraged its initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment.
The attackers built a new user account that they used to grant consent to additional malicious OAuth applications they had created. This enabled them to use the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, providing access to mailboxes.
How to Defend Against this Nation-State Attack
Microsoft advised a range of actions customers should take to reduce the risk of being hit by this type of attack:
- Identify malicious OAuth applications. Identify all current highly privileged identities in your tenant and particularly scrutinize privileges that belong to an unknown identity or an identity no longer in use. Defenders can also identify malicious OAuth apps using anomaly detection policies, and should implement conditional access app control for users connecting from unmanaged devices.
- Protect against password spray attacks. Recommended actions include eliminating insecure passwords and implementing MFA, educating employees to review sign-in activity and highlight suspicious sign-in attempts, and reset account passwords for any accounts targeted during a password spray attack.
- Enable identity alerts and protection. The Microsoft Entra ID Protection provides various detections to help users identify threat activity associated with the Midnight Blizzard attack. These include unfamiliar sign-in properties, password spray attacks and suspicious sign-ins.
- Identify and investigate suspicious OAuth activity. Numerous follow-on activities can be indicate if a threat actor has used OAuth applications in their attack. These include an app with application-only permissions accessing numerous emails, an increase in app API calls to the Exchange Web Services API after a credential update, and a suspicious users creating an OAuth app that accessed mailbox items.
Microsoft added that its investigation into the incident is ongoing and will provide more details as appropriate.
IT firm HPE said in a regulatory filing on January 19 that it believes Midnight Blizzard was behind a breach of its cloud-based email environment back in May 2023.
This attack enabled the hackers to access HPE mailboxes belonging to individuals in its cybersecurity, go-to-market, business segments, and other functions.