Microsoft has released new guidance for organizations on how to protect against persistent nation-state attacks like the one disclosed a few days ago that infiltrated its own corporate email system.
A key focus of the guidance is on what organizations can do to protect against threat actors using malicious OAuth apps to hide their activity and maintain access to applications, despite efforts to boot them out.
The attack on Microsoft by Midnight Blizzard aka Cozy Bear - a threat group affiliated with Russia's Foreign Intelligence Service - resulted in the compromise of email accounts belonging to several Microsoft employees, including senior leadership.
Over a period of several weeks beginning late November 2023, the attackers accessed Microsoft's corporate email accounts and exfiltrated emails and document attachments in an apparent bid to determine what information the company might have on Midnight Blizzard itself.
A recent SEC filing that surfaced this week showed that the threat actor, whom the US government has formally identified as the perpetrator of the SolarWinds hack, also breached Hewlett Packard Enterprise's cloud-based email environment last May. The attacks are believed to be part of a broader and ongoing intelligence-gathering effort by SVR/Midnight Blizzard for potential future campaigns.
In its Jan. 19 blog initially disclosing the attack, Microsoft described Midnight Blizzard as having gained initial access to its environment via a legacy, non-production test account that the threat actor compromised via a password spray attack.
The threat actors use of the residential proxy infrastructure for its attacks helped obfuscate their activity and evade detection, Microsoft said.
Abusing OAuth Apps Once the attacker gained initial access to the test account, they used it to identify and compromise a legacy test OAuth application with privileged access to Microsoft's corporate environment.
The adversary used the legacy OAuth app they had compromised to grant themselves full access to Office 365 Exchange mailboxes, Microsoft said.
Tal Skverer, research team lead at Astrix Security, says Midnight Blizzard actors leveraged malicious OAuth tokens because they likely knew their access to the compromised account would be detected.
Some of these permissions can persist even if an originally compromised account is disabled or deleted allowing attackers to retain their access even if they lose access via an initially compromised account, Skverer says.
Thwarting Malicious OAuth Microsoft's Jan 25 blog offered guidance to organizations for mitigating risks related to the misuse of OAuth apps.
The recommendations include the need for organizations to audit the current privilege levels associated with all identities - both user and service - and to focus on those with high privileges.
When reviewing privileges, an administrator should keep in mind that users and services can often have privileges over and beyond what they require, the blog noted.
Organizations also should audit identities that have the ApplicationImpersonation privilege in Exchange Online that allows services to impersonate a user and execute the same operations that the user can, Microsoft advised.
Organizations should also consider using anomaly detection policies to identify malicious OAuth applications and conditional access application controls for users connecting from unmanaged services, Microsoft said.
How to Detect Midnight Blizzard The blog also included detailed guidance on what to look for in log data to hunt and detect malicious activity such as that associated with Midnight Blizzard.
Skverer says posture management tools can help organizations inventory all non-human identities in their environment -especially those that pose the highest risk.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 26 Jan 2024 20:45:14 +0000