Microsoft recently disclosed that its corporate systems were targeted in a nation-state attack by Russian state-sponsored hackers. This comes after the same group was behind the SolarWinds attack. The hackers were able to access the email accounts of Microsoft’s senior leadership team, potentially spying on them for weeks or months.

While the initial SEC disclosure didn’t provide many details on how the attackers gained access, Microsoft has since published an initial analysis of the situation. The hacking group known as Nobelium, or “Midnight Blizzard,” was able to gain access through a password spray attack. This kind of attack involves hackers using a dictionary of potential passwords to gain access to accounts. It was revealed that the breached account didn’t have two-factor authentication enabled, making it easier for the hackers to gain access.

After gaining initial access, the group identified and compromised a legacy test OAuth application that had elevated access to the Microsoft corporate environment. OAuth is a widely used open standard for token-based authentication. This allowed the group to create more malicious OAuth applications and accounts to access Microsoft’s corporate environment and its Office 365 Exchange Online service, which provides email inbox access.

Microsoft has not disclosed the exact number of corporate email accounts that were targeted and accessed. However, it did mention that only a very small percentage of email accounts, including those of senior leadership and employees in cybersecurity, legal, and other functions, were affected.

The attack on Microsoft is part of a larger series of incidents involving the same hacking group. Hewlett Packard Enterprise (HPE) revealed that the hackers had previously gained access to its cloud-based email environment, and the incident was likely related to the exfiltration of a limited number of Microsoft SharePoint files.

This latest cybersecurity incident is another blow to Microsoft, especially following previous attacks on its email servers and the SolarWinds attack. Microsoft’s oversight in not having two-factor authentication on a critical test account is raising concerns in the cybersecurity community.

CrowdStrike CEO George Kurtz expressed his surprise at how a non-production test environment led to the compromise of senior officials at Microsoft. He questioned how this could happen and suggested that there is more to uncover about the incident.

The admission of a lack of two-factor authentication on a crucial test account is a significant oversight by Microsoft. The company claims that if the same non-production test environment were deployed today, mandatory policies and workflows would ensure multi-factor authentication and active protections are enabled. However, Microsoft still has a lot to explain, especially if it wants its customers to believe that it is truly improving its software and services to better protect against security threats.

Ultimately, this incident highlights the ongoing and evolving threats that organizations face in the digital realm. As cyber attacks become more sophisticated, it is essential for companies to constantly reevaluate and enhance their security measures to safeguard their systems and data from malicious actors.

Source link