Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023

[German]Microsoft has been successfully hacked by the Russian state hacker group Midnight Blizzard, also known as Nobelium. This was noticed on January 12, 2024, but the hackers were probably in the systems for months and were able to view and exfiltrate emails. The next major hack after the attack by the Chinese group Storm-0558 from May to June 2023.


Hack by Midnight Blizzard

I came across the issue via various tweets such as the one below, which was addressed in a short sec.go message and has since been acknowledged by Microsoft on January 19, 2024 in the post Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard.

On January 12, 2024, the Microsoft security team became aware of a state-sponsored attack on the company's own systems. As a result, internal processes were initiated to respond to these malicious activities, prevent them and investigate the matter. After these investigations, Microsoft came to the conclusion that the attack was carried out by Midnight Blizzard. This is a Russian state-sponsored actor also known as Nobelium.

Nobelium (aka Midnight Blizzard, APT29 and Cozy Bear) is a Russian state-sponsored hacker group believed to be affiliated with the Russian Foreign Intelligence Service (SVR) and has been linked to numerous attacks in recent years.

Attack via Test-Tenant

Microsoft writes that the threat actor used a password spray attack from late November 2023 to compromise an old, non-productive test tenant account and gain a foothold. This attack attempts to access an account with random passwords that are simply tried out. This was apparently successful – it would not have been possible with two-factor authentication (2FA).

By accessing the test tenant, the attacker had probably hit the jackpot, as he was able to use the account's permissions to access email accounts hosted by Microsoft. This probably gave the attackers access to any Microsoft email account.


E-mails siphoned off over months

Microsoft then states that the attacker only "accessed a very small percentage of Microsoft corporate email accounts with the account's permissions. It may be true that only a few accounts were searched. But the email accounts of members of the Microsoft leadership team and employees in cybersecurity, legal and other functions were among the Microsoft accounts accessed.

The attackers had access to the "crown jewels" of Microsoft management, the emails of the gatekeeper or janitor were probably of less interest to the attackers. The attacker then exfiltrated some emails and attached documents (the volume of emails exfiltrated was not disclosed).

Microsoft's investigation has revealed that the attackers initially targeted email accounts in order to obtain information about Midnight Blizzard itself. The attackers wanted to know what the security specialists at Microsoft knew about this group. Microsoft says it is in the process of notifying the employees whose emails were accessed.

What was not said

If you read the articl Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard, it all sounds quite harmless and trivializing. A non-productively used test account of a tenant was cracked via a password spray attack. And the attackers only had access to "a small number of email accounts" from Microsoft via the authorizations of this hijacked account. And they reacted immediately when they realized this.

However, if you read between the lines and translate the Microsoft statements, the case is somewhat different. I have translated and summarized the facts a little differently.

  • We, at Microsoft, were attacked via a test tenant in November 2023, but didn't realize it until two months later.
  • If you have access to this test tenant, you can inspect the email accounts of any Microsoft employee and read their emails.

At this point, you should stop and think. I don't know if it's true: But with a normal tenant in Microsoft 365, you shouldn't be able to access the mailboxes of other tenants. Just off the top of my head:

  • This test tenant, which was not used "productively", seems to have played a special role internally at Microsoft because the account's authorizations allowed access to Microsoft corporate emails.
  • From this perspective, it is absolutely incomprehensible that multi-factor authentication (which Microsoft always recommends to its customers) was not used for security purposes.
  • If the attack took place in November 2023 and the whole thing was only noticed in January 2024, but – as I understand it – the attacks must have come from external IPs, there is also no continuous monitoring of access. The Storm-0558 attack was noticed because a US government employee wondered about accesses that did not correspond to the normal pattern.
  • And when I get access to Microsoft's email system from a test tenant, it doesn't matter if "only a small number of accounts" were accessed. The "cabinet door was open" and the attackers could help themselves as they pleased. That they only accessed lucrative accounts of executives, lawyers and security people is logical in my eyes – you don't go into the janitor's break room if you want to look through the management's filing cabinet.

In the Storm-0558 cloud hack, the attackers had captured a "non-productively used" private MSA key "by obscure means and were able to use it to forge security tokens to access any account in the Microsoft cloud. In the current case, a password spray attack on a test account was enough to gain access to Microsoft's email system.

In both cases, the whole thing was "played down" by Microsoft. I wrote about the Storm-0558 hack here in the blog (see links at the end of the article). My attempts to obtain information about the GDPR relevance of the incident from the Federal Data Protection Commissioner came to nothing at the time – he is not responsible. And the data protection supervisory authority in Bavaria doesn't provide any information – it's none of the third parties' business. At this point, the question "what else has to happen" creeps up on me for people to wake up.

Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
Microsoft extends Purview logging (after Storm-0558 hack)

Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *