Russia-Based SolarWinds Hackers are Actively Targeting Microsoft
The November 2023 cyberattack on Microsoft that compromised corporate email accounts isn’t over yet. Microsoft recently disclosed that the Russia-based cybercriminal group Midnight Blizzard obtained information that can be disconcerting to customers. Redmond said the Russian hackers are using the information it previously exfiltrated to compromise it again.
- The November 2023 cyberattack on Microsoft that compromised corporate email accounts isn’t over yet.
- After discovering the attack in January 2023, Microsoft recently disclosed that the Russia-based cybercriminal group Midnight Blizzard obtained information that can be disconcerting to customers.
Late last week, Microsoft disclosed that Midnight Blizzard, or Nobelium, which targeted and infiltrated the company in November 2023, an incident that only came to light in January 2024, is attempting to hack it again.
Microsoft said that Midnight Blizzard, also tracked as Cozy Bear and APT29, is using the information it previously exfiltrated from its corporate email systems. Redmond has ascertained that the Russian state-sponsored advanced persistent threat group got a hold of the company’s source code repositories and internal systems.
Tom Kellermann, SVP of Cyber Strategy at Contrast Security, told Spiceworks News & Insights over email, “This has tremendous national security implications. The Russians can now leverage supply chain attacks against Microsoft’s customers.”
Midnight Blizzard is the same threat group that victimized SolarWinds and hundreds of downstream customers, resulting in a months-long stealth cyberespionage attack. The APT group, believed to be affiliated with Russia’s military intelligence GRU, is also known to have hacked the Democratic National Convention before the 2016 election.
While the hack of Microsoft’s email systems enabled the Russia-based attackers to snoop on the company’s executives, they couldn’t access customer environments, that they know of. However, according to Microsoft, Midnight Blizzard has ramped up some offensive measures 10-fold.
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” the Microsoft Security Response Center noted.
Microsoft has not provided the details on the type of information the threat actors have, but an increase in brute force attacks, such as password spraying, suggests Midnight Blizzard could have found passwords or other authentication data.
Kellerman suggested deploying code runtime security to address the ongoing threat. “Timing is of the essence as the island hopping has already begun,” Kellerman said.
See More: Weeks After BofA, Amex Customers Suffer the Brunt of Third-Party Breaches
Jim Routh, chief trust officer at Saviynt, told Spiceworks, “There are basically two different approaches to applying least privilege to existing accounts that are not regularly used:
- Wait for a threat actor to discover them and exploit them (free pen testing) and deal with the consequences.
- Use your IAM platform to both identify and revoke accounts that are not in use for 90 days, avoiding the need for certifications and shrinking the attack surface for a threat actor.
There are no fees paid in the first option, but there are financial and brand consequences. The second option is relatively easy to implement using a basic feature in advanced IGA platforms.”
Microsoft has been panned for lax cybersecurity operations, which have led to high-profile cyberattacks such as Microsoft 365 (M365) cloud environment compromise by Chinese threat actors Storm-0558, a series of PrintNightmare vulnerabilities, ProxyShell bugs, two zero-day exchange server vulnerabilities known as ProxyNotShell.
More recently, Microsoft addressed the admin-to-kernel exploit (CVE-2024-21338) in the AppLocker driver in the February Patch Tuesday update, six months after Avast disclosed it to Microsoft. Avast noted how North Korean adversary Lazarus Group exploited the security bug to establish a read/write primitive on the Windows kernel and install a rootkit.
Microsoft replaced long-time CISO Bret Arsenault with Igor Tsyganskiy to alleviate concerns in December 2023.
How can Microsoft improve its cybersecurity culture? Share with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON CYBERATTACKS
