Article 6J1A5 Microsoft Network Breached Through Password-Spraying by Russian-State Hackers

Microsoft Network Breached Through Password-Spraying by Russian-State Hackers

by
janrinok
from SoylentNews on (#6J1A5)

upstart writes:

Microsoft network breached through password-spraying by Russian-state hackers:

Russia-state hackers exploited a weak password to compromise Microsoft's corporate network and accessed emails and documents that belonged to senior executives and employees working in security and legal teams, Microsoft said late Friday.

The attack, which Microsoft attributed to a Kremlin-backed hacking group it tracks as Midnight Blizzard, is at least the second time in as many years that failures to follow basic security hygiene has resulted in a breach that has the potential to harm customers. One paragraph in Friday's disclosure, filed with the Securities and Exchange Commission, was gobsmacking:

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account's permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.

Microsoft didn't detect the breach until January 12, exactly a week before Friday's disclosure. Microsoft's account raises the prospect that the Russian hackers had uninterrupted access to the accounts for as long as two months.

A translation of the 93 words quoted above: A device inside Microsoft's network was protected by a weak password with no form of two-factor authentication employed. The Russian adversary group was able to guess it by peppering it with previously compromised or commonly used passwords until they finally landed on the right one. The threat actor then accessed the account, indicating that either 2FA wasn't employed or the protection was somehow bypassed.

Furthermore, this "legacy non-production test tenant account" was somehow configured so that Midnight Blizzard could pivot and gain access to some of the company's most senior and sensitive employee accounts.

As Steve Bellovin, a computer science professor and affiliate law prof at Columbia University with decades of experience in cybersecurity, wrote on Mastodon:

A lot of fascinating implications here. A successful password spray attack suggests no 2FA and either reused or weak passwords. Access to email accounts belonging to "senior leadership... cybersecurity, and legal" teams using just the permissions of a "test tenant account" suggests that someone gave that test account amazing privileges. Why? Why wasn't it removed when the test was over? I also note that it took Microsoft about seven weeks to detect the attack.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments