In our previous blog covering the attack on Microsoft by the threat actor Midnight Blizzard (also known as Nobelium), we discussed how Midnight Blizzard targeted Microsoft legacy, non-production test environments with an unsophisticated password spray attack. As a follow-up, we are diving into the unique features that set this attack apart, some of the motivations behind this latest attack, and how this nation-state attack against Microsoft highlights the importance of an identity-first approach to security.
As Microsoft acknowledged, the attack was not the result of a vulnerability in Microsoft products or services—instead, it was the result of poor identity security hygiene, leading to the compromise of a test account in a non-production system. This single account appears to have given attackers a foothold that provided access to the emails of senior leadership, cybersecurity, legal, and other functions within Microsoft. This is the latest in a growing wave of identity attacks that are allowing threat actors to exploit identities and privileges to access information without malware or code exploits, all while remaining undetected.
The Midnight Blizzard Attack
While Microsoft has only shared limited details of the attack so far, let’s take a look at what we already know. In late November 2023, the threat actor successfully targeted a legacy, non-production test tenant account using a password spray attack.
The threat actors then used the compromised test tenant account’s entitlements to access what Microsoft has characterized as “a very small percentage of Microsoft corporate email accounts.” However “small,” this included the emails and attachments of senior leadership, cybersecurity, legal, and other functions within Microsoft.
Following Microsoft's statement, Hewlett Packard Enterprise (HPE) disclosed a regulatory filing with the SEC stating that a threat actor believed to be Midnight Blizzard had previously gained unauthorized access to their systems, including access to mailboxes that dated back to May 2023. Their investigation concluded that an incident in June 2023, which involved access to SharePoint, was likely perpetrated by the same threat actors and may have been part of a longstanding campaign. HPE maintains the breach does not impact business operations or financials; however, the fact that the threat actors were able to gain and maintain access for such a long period of time remains a source of concern for many.
SharePoint may seem like a relatively innocuous target, but threat actors often use knowledge repositories like this to search for accounts, secrets, or intelligence that can allow them to pivot to other systems or escalate privilege. The MITRE ATT&CK framework specifically calls out SharePoint as a resource which can be used by threat actors to mine valuable information. We don’t know the exact details of this attack or how Midnight Blizzard were able to access mailboxes of employees. What we do know is that this attack reinforces the importance of the principle of least privilege. This principle applies not only to accounts and identities to prevent the attackers from easily accessing privileges and systems from a compromised identity, but also for knowledge repositories like SharePoint, where not all accounts need access to all areas.
Are the tactics used by Midnight Blizzard new?
Midnight Blizzard's attack on Microsoft successfully leveraged two popular threat tactics:
- Targeting legacy accounts - Targeting of legacy, dormant, or test accounts and systems is a popular tactic for a range of threat actors, from nation-states to teen hacking crews, like LAPSUS$. Privileged test accounts might be used during the initial setup of an application or system, but are never subsequently removed. This makes them a prized target for attackers.
- Targeting dormant accounts - Threat actors like APT29 specialize in targeting dormant accounts with password attacks and then exploiting self-enrolment processes for MFA to add an authentication factor that is under their control. This then gives them an identity that serves as excellent cover to access other systems and information.
Where have we seen attacks like this before?
While details are limited around the exact permissions and entitlements used in this attack, we can look to examples from previous attacks, such as Mango Sandstorm, where the attackers pivoted from a compromised Azure AD account using a legitimate Azure OAuth application and enabling the full_access_as_app permission to access mailboxes through Exchange Web Services. The attacker could then add certificates to the app, which were used to issue access tokens and authenticate on behalf of the application to access mailboxes.
In any case, it appears the compromised test account either:
a. had a significant level of privilege assigned to it, or
b. had a path to access privileges possible via application ownership and privileged service principles associated with an application.
Without the right tooling in place, these paths to privilege can be difficult to uncover and can easily be overlooked in the race to the cloud.
Motives for the attack: cyber espionage or strategic recon?
On January 12th, 2024, the Microsoft security team detected the attack and began their incident response process. So far, the investigation has indicated that the threat actors were hunting for information related to themselves. Given that Microsoft has been shining a spotlight on Midnight Blizzard and several other nation-state threat actors, this type of information harvesting attack was inevitable. While quoting Sun Tzu in a security blog is a cliché, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” As such, threat actors have a vested interest in understanding what Microsoft knows about them so they can stay ahead in the battles to come.
Difficult to detect: the unfortunate feature of identity-based attacks
The fact that this attack remained undetected for around two months might seem shocking, but given the lack of visibility that many organizations have around identity security and activity, this is not uncommon. Most organizations are geared up to detect malicious code and known hacking tools, but have a blind spot when it comes to which identities represent the greatest risk or are actively being exploited. After all, it can be very difficult to differentiate between an attacker logging in using a compromised identity and the real user.
What else do we know about Midnight Blizzard / Nobelium?
Midnight Blizzard / Nobelium hit the headlines with the SolarWinds hack back in 2020. Since then, they have evolved their attacks. They are known to target individual accounts using password sprays and other common techniques, as well as by exploiting unpatched systems to gain initial access.
Once Midnight Blizzard attains access, they follow a fairly typical pattern of hunting for privileged accounts that enable them to reach their targets within the network. They have an excellent understanding of enterprise systems and have proven themselves very capable of evading defenses and detection.
Recently, Midnight Blizzard has been targeting Microsoft 365 tenants of small businesses to create a pool of compromised tenants that they then rename using “onmicrosoft.com” domains that sound similar to technical functions within their target organization. Once the threat actors have a compromised tenant with a name similar to a technical support function of their target, they use Teams messages with lures that are designed to steal credentials or tokens. This allows the attacker to hijack the account and authenticate as the targeted user.
Examples of compromised tenant domains used by Midnight Blizzard:
Once they have gained access to a target user account, they will attempt to add a managed device via EntraID to bypass conditional access policies that limit resource access to managed devices.
How can BeyondTrust help?
In our previous blog on this attack, we covered 4 effective identity security defenses against the Midnight Blizzard attack, which is worth a read. That blog highlights these four recommendations that can be implemented with BeyondTrust solutions:
- Mitigate Password Spray Attacks with Enterprise Password Management
- Resist Account Hijacking with Multi-Factor Authentication (MFA)
- Minimize Lateral Movement by Implementing Endpoint Privilege Management
- Rapidly Unmask and Respond to Identity Threats with ITDR
In this blog, we are now going to delve deeper into #4, where the right visibility not only illuminates poor security controls and risks, but can also help orchestrate a rapid, pinpoint response to stop an in-progress attack. In the recent Microsoft attack, there was roughly a two-month dwell time before the attack was discovered. This gave Midnight Blizzard a big head start.
BeyondTrust can help your organization gain deep visibility and control over your identities, the associated risks, and active threats. Our Identity Security Platform helps reduce your attack surface and eliminate identity security blind spots.
While we anticipate updates in the case of the Microsoft attack, let’s review a few critical security practices you can implement right away:
- Know where your identities exist and understand what privileges they have and what controls protect them. Do you have dormant or orphaned privileged accounts? Do they have MFA enabled? Are they managed by a PAM solution? Do accounts have entitlements in Azure that allow them to elevate their privilege? Can you do something proactively to reduce the attack surface? Siloes and traditional security can make it challenging to connect the dots between identities and risks. Don’t settle for a partial view of your identities and risks. Every unmanaged account, excess privilege, and uncontrolled access is an invitation for disaster. Take control. Gain a unified view of your identities and risks across the entire identity landscape.
- Rapidly recognize when accounts and identities are under attack, and reduce lag time / dwell time to response to as close to zero as possible. Alerts and logs, often scattered across disparate systems, whisper in a cacophony of events, making it challenging to differentiate an attacker from a legitimate login. The devil, as always, is in the details—the context. A simple logon, while seemingly innocuous by itself, takes on a sinister hue when tied to a highly privileged account or suspicious activity. Understanding the “blast radius” of a compromised or at-risk identity, the potential damage it can inflict, is also crucial in prioritizing response and stopping threats before they strike. This is where context matters.
BeyondTrust Identity Security Insights can help you gain visibility over all your identities, providing a clear picture of where privileges, entitlements, and risk exist in your organization. For example, you can find privileged accounts in your organization and clearly see if those accounts are dormant. You can see if the accounts lack MFA. You can also identify if these privileged accounts are being managed by PAM and if they are under attack from a password spray.
Identity Security Insights allows you to focus on an individual identity, with a consolidated view of all the accounts, privileges, and entitlements for that identity. This view includes the context of any active threats that have been detected. In addition, the product provides effective recommendations to further harden your identities and identity infrastructure against attacks. This enables your organization to understand your greatest identity risks, harden your identity security posture, and quickly detect and respond to identity-driven attacks.
In the example above, we can not only highlight that a password spray occurred, but that it resulted in successful authentication. This is provided alongside contextual information about the accounts and identities, making it easier to understand, prioritize, and respond.
How Identity Security Insights helped marshal a response to the Okta Support Breach
The 2023 compromise of Okta’s Support system experienced similar dwell time to the recent Microsoft attack. While it took Okta more than two weeks to confirm a breach had taken place, BeyondTrust’s Identity Security Insights tool, alongside other tooling, allowed our security teams to immediately detect an identity-centric attack on an in-house Okta administrator account, and block all access to the attacker, preventing additional exposure to our internal systems or BeyondTrust’s customers. BeyondTrust was the first to notify Okta of the suspected breach and was further able to provide crucial insights that would help Okta identify the extent of their compromise.
Conclusion: How to neutralize modern cyber threats
Regardless of the threat actor, if you can control and secure identities, you can stop or neutralize most modern cyber threats. Identity is the common thread across attacks on all systems--from on-prem, to cloud, to SaaS. So, if you can immunize identities and automatically detect identity-based attacks, you can safeguard the entire identity fabric and beyond!
James Maude, Director of Research
James Maude is the Director of Research at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.