Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign.
On January 12, 2024, Microsoft discovered that the Russian hackers breached its systems in November 2023 and stole email from their leadership, cybersecurity, and legal teams.
Some of these emails contained information about the hacking group itself, allowing the threat actors to learn what Microsoft knew about them.
When Microsoft first disclosed the breach, many wondered whether MFA was enabled on this test account and how a test legacy account would have enough privileges to spread laterally to other accounts in the organization.
Microsoft has now confirmed that MFA was not enabled for that account, allowing the threat actors to access Microsoft's systems once they brute-forced the correct password.
Microsoft also explains that this test account had access to an OAuth application with elevated access to Microsoft's corporate environment.
Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment.
They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications.
The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full access as app role, which allows access to mailboxes.
Based on these findings, Microsoft was able to discern similar attacks carried out by Midnight Blizzard, which targeted other organizations.
Earlier this week, Hewlett Packard Enterprise disclosed that Midnight Blizzard had gained unauthorized access to its Microsoft Office 365 email environment and exfiltrated data since May 2023.
The overlap raises suspicions, increasing the possibility of HPE being one of the companies Microsoft has confirmed as impacted.
In September 2023, it was also revealed that the Chinese Storm-0558 hacking group stole 60,000 emails from U.S. State Department accounts after breaching Microsoft's cloud-based Exchange email servers earlier that year.
Microsoft has provided extensive detection and hunting methods in its latest post to aid defenders in identifying attacks by APT29 and blocking their malicious activity.
OAuth apps created by users from high-risk sessions, suggesting compromised account exploitation.
Finally, Microsoft advises using targeted hunting queries in Microsoft Defender XDR and Microsoft Sentinel to identify and investigate suspicious activities.
Russian hackers stole Microsoft corporate emails in month-long breach.
HPE: Russian hackers breached its security team's email accounts.
Microsoft disrupts Russian hackers' operation on NATO targets.
Russian hackers exploiting Outlook bug to hijack Exchange accounts.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 26 Jan 2024 15:25:29 +0000