Article 6J6YK In Major Gaffe, Hacked Microsoft Test Account Was Assigned Admin Privileges

In Major Gaffe, Hacked Microsoft Test Account Was Assigned Admin Privileges

by
hubie
from SoylentNews on (#6J6YK)

upstart writes:

How does a legacy test account grant access to read every Office 365 account?

The hackers who recently broke into Microsoft's network and monitored top executives' email for two months did so by gaining access to an aging test account with administrative privileges, a major gaffe on the company's part, a researcher said.

The new detail was provided in vaguely worded language included in a post Microsoft published on Thursday. It expanded on a disclosure Microsoft published late last Friday. Russia-state hackers, Microsoft said, used a technique known as password spraying to exploit a weak credential for logging into a "legacy non-production test tenant account" that wasn't protected by multifactor authentication. From there, they somehow acquired the ability to access email accounts that belonged to senior executives and employees working in security and legal teams.A "pretty big config error"

In Thursday's post updating customers on findings from its ongoing investigation, Microsoft provided more details on how the hackers achieved this monumental escalation of access. The hackers, part of a group Microsoft tracks as Midnight Blizzard, gained persistent access to the privileged email accounts by abusing the OAuth authorization protcol, which is used industry-wide to allow an array of apps to access resources on a network. After compromising the test tenant, Midnight Blizzard used it to create a malicious app and assign it rights to access every email address on Microsoft's Office 365 email service.

[...] Kevin Beaumont-a researcher and security professional with decades of experience, including a stint working for Microsoft-pointed out on Mastodon that the only way for an account to assign the all-powerful full_access_as_app role to an OAuth app is for the account to have administrator privileges. "Somebody," he said, "made a pretty big config error in production."

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments