Microsoft Executives Hacked

Microsoft is reporting that a Russian intelligence agency—the same one responsible for the SolarWinds hack—accessed the email system of the company’s executives.

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself.

This is nutty. How does a “legacy non-production test tenant account” have access to executive emails? And why no two-factor authentication?

Tags: , , ,

Posted on January 29, 2024 at 7:03 AM28 Comments

Comments

Reader Two January 29, 2024 7:55 AM

I hope someone is looking for correlations between stock trading and email hacks. I’d hate to think insider trading is a profit center for Russian hackers.

Wannabe techguy January 29, 2024 8:42 AM

Hmmm I wonder how they know it was Russians?
Since I’m not an IT guy, I needed a reminder of what a “password spraying attack” is. I have heard of the term.
According to “Keeper Security”, it’s “when an attacker uses common passwords to attempt to access several accounts on one domain.”

So that tells me it was preventable.

Anonymous January 29, 2024 10:06 AM

It is a common knowledge and praxis that terrorists leave behind their passports and the hackers leave behind the Russian fingerprints.

I guess it will soon come out that it was Putin himself while riding the bear.

Doug Deden January 29, 2024 10:10 AM

Perhaps it would be more clear if you wrote “the same one responsible for the SolarWinds hack”, or “… the SolarWinds attack.”

…doug

Wes January 29, 2024 10:30 AM

@ Wannabe

Yeah, password spraying is completely preventable, any of these would do it:
– brute force prevention should be turned on for both username and password
– enable account lockout after 3 incorrect passwords
– use a CAPTCHA
– MFA (which you should be using anyway)

Jos January 29, 2024 11:13 AM

@Wannabe

Password spray means that you slightly touch the target system to probe for vulnerable accounts, while ensuring that your rate is low enough to avoid monitoring software to trigger.
You use many devices, which only probe for a limited number of account/pass combinations over a long time.

Consider 100 target accounts which you acquired. You can attempt to brute force these in a second from a single computer, leading to monitoring software to shut you down.
You can also off-load these 100 targets to a botnet with let’s say 5.000 bots in it.
And instead of attempting all at once, you let those slowly rotate accounts and passwords. Since there are 5.000 potential sources, and with slow rotation, a single account is perhaps probed every hour or so, from different IP addresses.
Since we are more interested in getting undetected access than getting it fast it might be even slower.
Only if someone knows where to look in the data a pattern might emerge, otherwise it’s just noise.

Let’s say from those 100 accounts you find 2 vulnerable over a month (or longer) and are able to access resources with it which can be used as stepping stone for further penetation, you’ve done well.
If I were malicious state actor, I would verify the vulnerable account a couple of times from different sources, and then use a node in a botnet to actually access the account instead of my “Russian machine” which might trigger all kinds of alarms.

This slow work will avoid many of the security measures created to detect hit-and-run attacks, since user convenience is also a thing and we don’t want outsiders to generate a denial of access on accounts by locking them out after x attempts without a timebox after which it’s freed up again.

Meade January 29, 2024 11:48 AM

MICROSOFT is of course concealing the full extent of this dangerous & utterly humiliating penetration of their security

many other ‘expert’ companies and especially the US Federal Government have suffered similar security disasters

NSA is sure doing a great job defending America from foreign cyber threats

but obviously Joe Biden must immediately form still another pathetic White House Special Commission on cyber security

m.vincent January 29, 2024 2:52 PM

to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts

Um… that was a production non-test administrative account, if it had that kind of access. It doesn’t matter that some people thought it was non-production, or had forgotten about it—both of which are very negative shibboleths regarding Microsoft security practices (as is that account having a weak password and no secondary authentication).

ResearcherZero January 30, 2024 1:08 AM

@Jos, @ALL

“Force Kerberos authentication whenever possible and block NTLM v2 on both the network and applicative levels.”

An SMB device that does not support signing allows interception and relay attacks from malicious parties…

WPA (Windows Performance Analyzer) attempts to authenticate using NTLM v2 over the open web. When the NTLM v2 hash is passing through the open internet, it is vulnerable to relay and offline brute-force attacks.

Because no salting (adding a random value to the password to prevent pre-computed hash tables) takes place, they are password equivalent, meaning that if you grab the hash value from the server, threat actors can authenticate without knowing the actual password.

‘https://www.varonis.com/blog/outlook-vulnerability-new-ways-to-leak-ntlm-hashes

Microsoft has decided to introduce SMB NTLM Blocking, alternative ports for SMB and other magical s-tuff in preview builds…

‘https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-client-encryption-mandate-now-supported-in-windows-insider/ba-p/3964037

…and even block incoming NetBIOS (137-139) in the firewall! Ground breaking. 😐

‘https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-firewall-rule-changes-in-windows-insider/ba-p/3974496

My apologies if I sound a little sarcastic about that feature.

ResearcherZero January 30, 2024 5:27 AM

Of course if you already have admin access within the corporate environment, then it is much easier to hide your tracks and exfiltrate data without raising much suspicion.

Move into the networks of a dozen others or more, undetected. Gaining a picture of the security posture of those other companies, perhaps while they are in the process of absorbing other enterprise, cloud, or network edge providers, and their relevant procedures, and interactions.

Givon Zirkind January 30, 2024 8:43 AM

According to Kate Fazzini, insider trading is the big hack. Most profitable. Carding is for chumps.

Givon Zirkind January 30, 2024 8:45 AM

Could there be something more nefarious to this than insider trading? Getting into the code of the game some how and using it as sleeper, time bomb, monitor?

Bob January 30, 2024 9:42 AM

@Anonymous

It is a common knowledge and praxis that terrorists leave behind their passports and the hackers leave behind the Russian fingerprints.

The Barracuda breaches I saw this past summer were absolutely loaded with Russian and Ukrainian addresses. Then just weeks later Mandiant came out and attributed it to China.

Francis Mayer January 30, 2024 11:45 AM

The US refuses to implement strong security laws with teeth for information technology. Key infrastructure is even weaker than Microsoft corporate assets. We are at far more risk than necessary for no better reason than making things convenient for the community. It is not just in cybersecurity but the world’s governments are totally captured by corporate interests over the needs of the world’s people. That is why we have unending catastrophes that are totally preventable. This means the big problem is a policy problem, not some technical challenge.

lurker January 30, 2024 12:16 PM

Microsoft Executives Hacked the headline says.
I fear not enough of them were hacked hard enough in the right places, for the company to finally at long last develop some awareness of security. Stopping inbound NetBios is too little, too late.

echo January 30, 2024 9:09 PM

Locking accounts out after three attempts and requiring either a phone call or in-person visit to the office of the administrator who will issue a new password and look at you funny if you aren’t a person attached to the account is a thing.

Private networks are a thing too.

Rookie error from Microsoft…

As for the Russians whether they did or didn’t have anything to do with this it’s know the Russians are up to no good. If it’s not disinformation operations it’s attempts to bring down civilian infrastructure.

Of course if the useful idiot is the job title at the top (For example Boris Johnson and the Orange *&%$ Gibbon) then all bets are off. Speaking of which useful idiot Musk just got clobbered for $56 billion. A judge voided his $56 billion pay package. There’s also a fair few questions finance regulators should be asking about his conduct at SpaceX and Tesla especially Tesla. How his behaviour doesn’t constitute stock price manipulation and fraud I don’t know. There’s a lot of unjust enrichment in there and detriment as a precursor to his purchase of Twitter which he promptly turned into a far right disinformation platform. “Free speech”? Not really. Not when bomb threats and other shinanigans is happening because of this. He may be five steps removed but certainly swimming in the same pond as domestic terrorists and various far right aligned politicians abusing their position.

If Microsoft were handed the bill for all the time their products have wasted or the grief they have caused they’d go bankrupt overnight.

|>1sM4L D4N February 1, 2024 10:25 PM

The day Microsoft, a convicted monpoly, goes bankrupt I will rejoice, dance and piss on it’s grave.

You’ve been allowed too much power for far too long.

john freeze February 6, 2024 3:42 AM

@lurker
you don’t need an account to read it (at least it works in a private browser window)

Cyber Pundit February 7, 2024 1:20 AM

I’m optimistic that researchers are exploring connections between stock trading and email breaches. The idea of insider trading becoming a lucrative venture for Russian hackers is concerning.

JTC February 20, 2024 8:17 PM

Let me get this straight. Microsoft cannot prevent intruders into its network, but after they have done what they want, Microsoft can now magically determine exactly where the attack came from, even to the Russian intelligence agency. You are liars, Microsoft, pure liars. What did the Russian intelligence agency do, accidentally drop their calling card?

Clive Robinson February 21, 2024 1:37 AM

@ JTC, ALL,

“Microsoft can now magically determine exactly where the attack came from, even to the Russian intelligence agency. You are liars, Microsoft, pure liars. What did the Russian intelligence agency do, accidentally drop their calling card?”

In a way yes.

First remember Microsoft is a very large organisation with many many different teams, so it would be a very different team investigating the mess than the team that created it in the first place.

Now consider writing code is like writing a story, poem, words to a song or the music it’s self.

With written works you can read the authors style come through the word usage and phraseology it’s why you like their books etc. Same as you can make a good guess at who the composer of a piece of music you’ve not heard before is.

It’s similar with the writing of code, given sufficient quantities the individuals style of writing code comes through.

The problem is not really attributing who wrote the second third or more example of that style of code writing, but the first.

Often in the early days of writing code an individual gives away who they are via a desire for ego food, money, or what ever other reward drives them on. That is they don’t start out an expert in all things so they don’t cover their early tracks well.

Have a read of some of Brian Krebs “chase downs” you will see he has a style in what he looks for, he can not help it any more than most can change the hand they write with. Nor can those he chases hide their mistakes etc.

One of the things LLM systems can do as they are in effect matched filters is recognise style in the training data and match to it.
Unfortunately in so doing they can reverse the process much like you running a wet finger around the rim of a glass can make it resonate. Thus within fairly rapidly expanding limits LLM’s can reproduce the written word, music or code almost as accurately as we can detect it over a certain range/block size.

Thus we have come to a sort of crossroads where an LLM can with enough of your code as input pull out all the basic layers that go into your style of code writing and reproduce it.

In fact we may have got there, we know the CIA had a tool for faking malware such that it looked like the style of different language authors. The tool was not unexpected by those a little ahead of the game in fact it had been talked about as an idea for “false flag attacks” for some years beforehand on this blog, hence the repeated “attribution is hard” comments made here about the ludicrous attributions being made by the likes of Mandiant etc that conveniently fell in line with what the US Gov wanted to hear at the time. Well many have “wised up” as their reputation was getting tarnished and they are way more cautious about attribution (as they should have been originally).

Well take it with a pinch of salt the size of Lot’s Wife, but it’s very recently been claimed that China might not be the friend to Russia Putin thought they were. The details are not yet clear but claims are being made that China are hiding behind Russian Code and routing it out via the same routes as Russians have used. Thus running a false flag operation.

If true, I suspect the give away was not the code but the information sought out which is an even higher layer of “style”.

spinagocasinoau April 22, 2024 8:57 AM

This incident highlights concerning vulnerabilities in Microsoft’s security protocols. The breach raises questions about access controls and the absence of two-factor authentication. Security measures must evolve to match evolving threats. For more insights on cybersecurity, check out https://spinagocasinoau.com/.

- April 22, 2024 10:05 AM

@Moderator

comment-435697 spinagocasinoau • April 22, 2024 8:57 AM

Advertising illegal services

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.