The hack of Microsoft’s senior executive team is seen as an aggressively bold move by one of the world’s leading state-linked threat groups.
However, veteran researchers and industry analysts also see the attack as a reminder of what they consider longstanding weaknesses in Microsoft’s security capabilities.
There's also a perception that Microsoft, a dominant player in business applications and cloud computing, does what it wants.
“Let’s be clear, Microsoft was the victim of a crime,” said A.J. Grotto, a fellow at the Stanford University’s Cyber Policy Center and former White House Director for Cyber Policy. “But it did the cyber equivalent of parking its car in a rough neighborhood and leaving the doors unlocked and valuables in plain view.”
Last week Microsoft disclosed a hack by Midnight Blizzard, the Russia-affiliated threat actor formerly known as Nobelium. The group stole email and other documents from key Microsoft executives through a password spray attack dating back to late November.
The hackers compromised a legacy, non-production test tenant account and the attack was not discovered until Jan. 12, according to Microsoft.
A password spray attack is the type of brute-force action that is usually done by hackers without any other ability to break into a system, according to security researchers. Password spray attacks can usually be prevented by simple authentication layers to confirm identity.
“This was not a sophisticated attack and could have been prevented with basic cyber hygiene,” Grotto said.
Microsoft Threat Intelligence researchers, in a follow up blog post released Thursday, conceded that additional prevention measures would have made the attack much harder to pull off.
“If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure [multifactor authention] and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks,” Microsoft Threat Intelligence said in the blog.
The threat group leveraged its initial access to abuse a legacy test OAuth application, then created additional OAuth applications and used that privilege to gain access to Microsoft corporate email accounts, Microsoft said.
Midnight Blizzard used residential proxy networks to hide its activity from detection, as the IP addresses are normally used by legitimate users, according to the blog.
“Unfortunately, Microsoft did not manage or monitor their non-human identities, and in turn, a deprecated, over-permissive app existed on the compromised corporate Microsoft tenant,” Tal Skverer, research team lead at Astrix Security, said via email.
Microsoft’s investigation revealed that Midnight Blizzard targeted other organizations, and the company began notifying targeted victims.
Hewlett Packard Enterprise on Wednesday disclosed it was attacked by the same threat group dating back to last May.
Midnight Blizzard accessed data from a small percentage of HPE mailboxes and a limited number of employee SharePoint files in cybersecurity and other departments. HPE declined to comment on whether it discussed these attacks with other companies or organizations, but confirmed it is cooperating with law enforcement.
“The threat actor used a compromised account to gain unauthorized access to the Office 365 email environment,” a spokesperson for HPE said via email.
The company is continuing an investigation to determine what specific information was accessed and exfiltrated from the affected mailboxes.
Security changes ahead
The attack disclosures come just six months after the state-linked hack of Microsoft Exchange, which led to tens of thousands of emails being stolen from the U.S. State Department.
The company faced significant backlash from rivals and U.S. officials for making cloud customers pay extra for critical security features, including logs.
Microsoft reached an agreement with the Cybersecurity and Infrastructure Security Agency to make security logs available for no extra charge and later expanded default retention times in Purview. The steps were part of a wider effort to enhance security following the attacks.
Microsoft in November announced a plan called the Secure Future Initiative, an effort to incorporate secure by design and secure by default principles into its software development process.
Vasu Jakkal, CVP of Microsoft Security, told Cybersecurity Dive earlier this month via email that the company was laser focused on transforming the way it does software, using AI and automation to make sure the products were “secure by design and default, in deployment and in operation.”
Microsoft in the blog post released last week with the 8-K filing, admitted it needs to accelerate its Secure Future Initiative plans and make potentially painful decisions that may impact its normal business processes.
“This will likely cause some level of disruption while we adapt to this new reality,” Microsoft officials said in the post, “but this is a necessary step, and only the first of several we will be taking to embrace this philosophy.”
Security researcher Kevin Beaumont said the company is in need of a “radical technical and cultural transformation to retain trust,” in a LinkedIn post following the disclosure.
Despite Microsoft’s promises, Tenable CEO Amit Yoran expects Microsoft to slowly roll out more sobering information about what truly happened beyond the Midnight Blizzard attack, and he does not expect much in the way of major reform coming out of this.
“If prior track records are an indicator of current and future behavior, it will be interesting to watch this story come out in dribs and drabs over the coming months,” Yoran said via email.