Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives’ e-mail accounts in November 2023, additionally breached different organizations as a part of this malicious marketing campaign.
Midnight Blizzard (aka Nobelium, or APT29) is believed to be a state-backed cyberespionage group tied to the Russian Foreign Intelligence Service (SVR), primarily focusing on authorities organizations, NGOs, software program builders, and IT service suppliers within the US and Europe.
On January 12, 2024, Microsoft found that the Russian hackers breached its techniques in November 2023 and stole e-mail from their management, cybersecurity, and authorized groups. Some of those emails contained details about the hacking group itself, permitting the menace actors to study what Microsoft knew about them.
Microsoft now explains that the menace actors used residential proxies and “password spraying” brute-force assaults to focus on a small variety of accounts, with one in every of these accounts being a “legacy, non-production check tenant account.”
“In this noticed Midnight Blizzard exercise, the actor tailor-made their password spray assaults to a restricted variety of accounts, utilizing a low variety of makes an attempt to evade detection and keep away from account blocks based mostly on the amount of failures,” explains an replace from Microsoft.
When Microsoft first disclosed the breach, many puzzled whether or not MFA was enabled on this check account and the way a check legacy account would have sufficient privileges to unfold laterally to different accounts within the group.
Microsoft has now confirmed that MFA was not enabled for that account, permitting the menace actors to entry Microsoft’s techniques as soon as they brute-forced the right password.
Microsoft additionally explains that this check account had entry to an OAuth software with elevated entry to Microsoft’s company setting. This elevated entry allowed the menace actors to create further OAuth purposes to realize entry to different company mailboxes, as defined beneath.
Midnight Blizzard leveraged their preliminary entry to establish and compromise a legacy check OAuth software that had elevated entry to the Microsoft company setting. The actor created further malicious OAuth purposes.
They created a brand new consumer account to grant consent within the Microsoft company setting to the actor managed malicious OAuth purposes. The menace actor then used the legacy check OAuth software to grant them the Office 365 Exchange Online full_access_as_app position, which permits entry to mailboxes. – Microsoft.
The firm recognized the malicious exercise by retrieving traces in Exchange Web Services (EWS) logs, mixed with recognized techniques and procedures utilized by Russian state-sponsored hacking teams.
Based on these findings, Microsoft was capable of discern related assaults carried out by Midnight Blizzard, which focused different organizations.
“Using the knowledge gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has recognized that the identical actor has been focusing on different organizations and, as a part of our standard notification processes, now we have begun notifying these focused organizations,” warns Microsoft within the new replace.
When BleepingComputer requested HPE who disclosed the breach to them, they informed us that they weren’t sharing this data. However, the overlap raises suspicions, rising the potential of HPE being one of many firms Microsoft has confirmed as impacted.
In September 2023, it was additionally revealed that the Chinese Storm-0558 hacking group stole 60,000 emails from US State Department accounts after breaching Microsoft’s cloud-based Exchange e-mail servers earlier that yr.
Defending towards Midnight Blizzard
Microsoft has offered in depth detection and searching strategies in its newest put up to help defenders in figuring out assaults by APT29 and blocking their malicious exercise.
The tech big advises specializing in identification, XDR, and SIEM alerts. The following eventualities are significantly suspicious for Midnight Blizzard exercise:
- Elevated exercise in email-accessing cloud apps, suggesting potential information retrieval.
- Spike in API calls post-credential replace in non-Microsoft OAuth apps, hinting at unauthorized entry.
- Increased Exchange Web Services API utilization in non-Microsoft OAuth apps, probably indicating information exfiltration.
- Non-Microsoft OAuth apps with recognized dangerous metadata, probably concerned in information breaches.
- OAuth apps created by customers from high-risk periods, suggesting compromised account exploitation.
Finally, Microsoft advises utilizing focused searching queries (offered) in Microsoft Defender XDR and Microsoft Sentinel to establish and examine suspicious actions.