How Midnight Blizzard hackers were able to penetrate Microsoft's email system

Posted on 2024-01-28 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]It was recently revealed that hackers from the state-run group Midnight Blizzard Hackers were able to penetrate Microsoft's email system and read messages from executives or security experts. The hackers had been in the system for months. Microsoft has now revealed how this hack came about. The short version: what is sold to third parties as "good security practice" was probably not applied by the company itself.

Advertising

The Midnight Blizzard hack

I reported on the hack in the blog post Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023. Microsoft has been successfully attacked by the Russian state hacker group Midnight Blizzard, also known as Nobelium. This was discovered on January 12, 2024, but the hackers had probably been working undetected in the systems since November 2023 and were able to view and extract emails. The next major hack after the attack by the Chinese group Storm-0558 from May to June 2023.

Microsoft made the hack public on January 19, 2024 in the article Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard. The attacker was able to take over an old, non-productive test tenant account from the end of November 2023 via a password spray attack and access Microsoft's entire email system from there. During the attack, emails from executives and from the legal and security departments were then searched for and extracted via "Midnight Blizzard".

Microsoft reveals further details

I raised a number of questions in the blog post Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023. Microsoft was able to identify these attacks in the log data by reviewing Exchange Web Services (EWS) activity and analyzing the audit logging capabilities and combining them with extensive knowledge of Midnight Blizzard. As early as January 25, 2024, Microsoft published the follow-up article Midnight Blizzard: Guidance for responders on nation-state attack, based on the new findings, with hints on what could be done better.

I had wondered how a password spray attack was possible on an old, non-production test tenant account and no multi-factor authentication (MFA) was used there. In the post, Microsoft confirmed that no MFA was enabled for the test account, something Redmond encourages its customers to do over and over again.

According to Microsoft, this test account had access to an OAuth application that allowed extended access to Microsoft's corporate environment. Specifically, Midnight Blizzard used its initial access to identify and compromise an older OAuth test application that had extended access to the Microsoft corporate environment. So the attackers understood the issues, while the Microsoft people were probably not aware of them.

Advertising

This explains why the attackers were able to gain access to Microsoft's Office 365 email system from the test account. This extended access allowed the threat actors to create additional OAuth applications to gain access to other corporate mailboxes. This reminds me of the Storm-0558 hack where Chinese attackers were able to authenticate themselves via a captured key.

The attackers then create a new user account to grant the generated OAuth applications permission to access accounts in the Microsoft corporate environment. The threat actor then used the old test OAuth application to grant the OAuth applications the Office 365 Exchange Online full_access_as_app role. This gave the attackers access to mailboxes and allowed them to view any mail from Microsoft.

Microsoft was able to use these findings to identify similar attacks by Midnight Blizzard on other organizations. According to the statement: "Based on the information Microsoft gathered from the Midnight Blizzard investigation, Microsoft Threat Intelligence has determined that the same actor has targeted other organizations. As part of our normal notification processes, we have begun notifying these affected organizations." This immediately brings to mind my article Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023, who were also hacked by Midnight Blizzard.

In the article Midnight Blizzard: Guidance for responders on nation-state attack, Microsoft downplayed it's role and the implications. They then gives its customers tips on how to protect themselves against such hacks. Let's hope that these measures are not only applied by Microsoft's customers, but also internally in Redmond. Because the chain of hacks in this environment is becoming somewhat embarrassing. Alex Stamos has shared his thoughts about that at LinkedIn in the article Microsoft's Dangerous Addiction To Security Revenue

Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
Microsoft extends Purview logging (after Storm-0558 hack)
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023

Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2

Advertising
This entry was posted in Cloud, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).