Microsoft, a week after disclosing that Kremlin-backed spies broke into its network and stole internal emails and files from its executives and staff, has now confirmed the compromised corporate account used in the genesis of the heist didn't even have multi-factor authentication enabled.
A password-spray attack is where a miscreant tries to log into a number of accounts using one password, then waiting a while and trying again with another password, and repeating this over and over.
It's a type of brute-force attack designed to avoid tripping monitoring systems that catch multiple failed logins to one account in a short period of time.
Password spraying is more subtle, and when an account with a weak password is identified by the attackers, they can use that to start drilling into the IT estate.
After gaining initial access to a non-production Microsoft system, the intruders compromised a legacy test OAuth application that had access to the Windows giant's corporate IT environment.
The actor created additional malicious OAuth applications.
They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications.
The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full access as app role, which allows access to mailboxes.
The crew then used this access to steal emails and other files from corporate inboxes belonging to top Microsoft executives and other staff.
Plus, we're told, Cozy Bear used residential broadband networks as proxies to make their traffic look like it was all legitimate traffic from work-from-home staff, since it was coming from seemingly real users' IP addresses.
In its disclosure Redmond also wants everyone to know that Midnight Blizzard targeted other organisations.
HPE can attest to this, although at this point it's not clear how that intrusion was done.
This is yet another proof point as to why everyone - especially global tech giants like Microsoft - should turn on MFA as soon as possible for all user accounts.
The latest advisory from Microsoft includes guides for administrators on how to avoid being compromised in the same way the software goliath was hit.
We'll leave it up to you as to whether or not to trust its advice but hey, at least some of us could learn from Redmond's mistakes.
This all happened in late November, Microsoft didn't spot the intrusion until January 12, and the compromised email accounts included those of senior leadership and cybersecurity and legal employees.
Or, you know, review basic security hygiene across the whole shebang - and we know Microsoft has a sprawling mega-empire - every once in a while.
This Cyber News was published on go.theregister.com. Publication date: Sat, 27 Jan 2024 01:13:04 +0000