**Update: Since this blog was published, Hewlett Packard Enterprise (HPE) disclosed in a regulatory filing with the SEC that a threat actor believed to be Midnight Blizzard had also gained unauthorized access to their systems. This included access to mailboxes that dated back to May 2023. They have concluded that an incident in June 2023 involving access to SharePoint likely involved the same threat actors and was part of a longstanding campaign. While HPE maintains the breach does not impact business operations or financials, the fact that the threat actors were able to gain and maintain access for such a long period of time will trouble many.
While SharePoint might seem like a relatively innocuous target, threat actors will often use knowledge repositories like this to search for accounts, secrets or intelligence that can allow them to pivot to other systems or escalate privilege. The MITRE ATT&CK framework specifically calls out SharePoint as a resource which can be used by threat actors to mine valuable information. While we don’t know the exact details of this attack and how they were able to access mailboxes of employees, this does reinforce the importance of the principle of least privilege. This applies not only to accounts and identities to prevent the attackers from easily accessing privileges and systems from a compromised identity, but also for knowledge repositories like SharePoint, where not all accounts need access to all areas.
While we might never know what a threat actor intends to do next, by taking a proactive approach to identity security, we can limit what they could do next.
On January 19th 2024, Microsoft publicly acknowledged a data security breach perpetrated by Midnight Blizzard (also called Nobelium). Based on information provided by Microsoft, Midnight Blizzard is a Russian state-sponsored threat actor that targets organizations via social engineering. The nation-state group conducts credential theft by luring victims into social engineering attacks via tools like Microsoft Teams.
In this latest Microsoft attack, Midnight Blizzard targeted Microsoft legacy, non-production test environments with an unsophisticated spray attack, beginning in November 2023. The threat actors’ successful compromise of a test tenant account led to additional lateral movement of several accounts within Microsoft, including those of senior leadership team members, cybersecurity, legal, and other departments. Microsoft’s own investigation team concluded the threat actors exfiltrated a limited number of emails, attachments, and (potentially) data. Microsoft believes the attack was not based on a vulnerability in any of their systems, but rather a simple fault in some systems still using single factor authentication that fell victim to a known attack vector.*
Read on for a brief overview of password spray attacks, a breakdown of key phases of the Microsoft attack, and how you could defend against such an attack by Midnight Blizzard or other threat actors.
What is a Password Spray Attack?
A password spray attack is a credential-based attack that attempts to access a large quantity of accounts by using a few common passwords. This is conceptually the opposite of a brute force password attack, which attempts to gain authorized access to a single account by repeatedly pumping in large quantities of passwords.
During a password spray attack, the threat actor attempts a single commonly used password (such as ‘12345678’ or ‘Passw0rd’) against many accounts, before moving on to attempt a second password. Essentially, the threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique helps the threat actor to remain undetected, avoid account lockouts, and avoid hacking detection on a single account due to the time between attempts.
When poor password hygiene is in place and/or multifactor authentication is not present, then the threat actor can succeed in authenticating against an account. The attack blast radius is further broadened if any of the compromised accounts are privileged.
As in the case of this most recent Microsoft breach, password spray attacks typically find success against cloud-based applications that are unmonitored for failed logon attempts or are part of a legacy environment that has been neglected and not subject to modern security controls.
4 Effective Identity Security Defenses Against the Midnight Blizzard Attack
1. Mitigate Password Spray Attacks with Enterprise Password Management
From what has been disclosed so far, the first stage of the attack on Microsoft involved password spraying. The best mitigation against password spray attacks is to enforce password complexity and uniqueness for every Internet-based resource. Passwords should never be reused across users or resources.
Enterprise password management solutions should be implemented to ensure password hygiene best practices are enforced at scale for human and machine accounts. Importantly, these solutions should also manage privileged sessions, with the ability to identify potential threats and pause and investigate, or terminate, in-progress sessions.
2. Resist Account Hijacking with Multi-Factor Authentication (MFA)
The attack on Microsoft apparently exploited a single authentication factor (password) to gain the initial foothold Midnight Blizzard needed to further advance their attack. Single-factor authentication is simply not enough to protect enterprise accounts under attack, especially not for accounts providing privileged access.
Requiring additional authentication factors dramatically improves confidence in the identity requesting access and creates another security hurdle for attackers to overcome. However, not all MFA is created equal. For the most sensitive types of accounts and access, phishing-resistant implementations should be used, such as FIDO2.
3. Minimize Lateral Movement by Implementing Endpoint Privilege Management
In the case of the Microsoft breach by Midnight Blizzard, the privileges obtained via the spray attack and any subsequent social engineering conducted by the threat actor potentially allowed for the compromise of other accounts and delegated email access.
To reduce the chance of compromise and also to limit opportunities for lateral movement and exposure beyond a point of compromise, every forward-facing account should adhere to the principle of least privilege (PoLP). A strong least privilege posture entails restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, authorized activities. Implementing the principle of least privilege is also necessary for enabling zero trust architectures and environments.
Endpoint Privilege Management (EPM) is the enterprise solution for operationalizing least privilege and application control across users (human and machine), endpoints, processes, and assets.
4. Rapidly Unmask and Respond to Identity Threats with ITDR
According to the information provided so far, the Microsoft breach arose from a combination of:
a. Lack of some basic security controls (MFA, etc.)
b. The inability to quickly identify and remedy those poor security controls
c. The delay (lag time) in detecting the attack activities.
Organizations should implement Identity Threat Detection and Response (ITDR) to help proactively mitigate poor identity security controls before they are exploited and also to rapidly detect and respond to attacks. For example, ITDR can help isolate events that can occur when an IdP solution allows authentication without MFA, or instances when dormant activity occurs on a system that isn’t normally used by an identity.
Next Steps to Improving Your Identity Security
As Microsoft disclosed, no vulnerabilities were compromised in their environment—the entire breach was based on identity attack vectors. While the breach of Microsoft is fresh, and there may be more information on this in the coming months, from what we know so far, there are clear, effective identity security steps organizations can take to improve their security posture and mitigate similar attacks.
BeyondTrust solutions could likely have broken this attack at multiple stages—from managing privileged passwords, to enforcing least privilege, to identifying and mitigating poor security postures (lack of MFA, etc.), to potentially zeroing in on and stopping threat activities.
To learn more, visit beyondtrust.com, or contact us today.
Morey J. Haber, Chief Security Advisor
Morey J. Haber is the Chief Security Advisor at BeyondTrust. As the Chief Security Advisor, Morey is the lead identity and technical evangelist at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. Morey has previously served as BeyondTrust’s Chief Security Officer, Chief Technology, and Vice President of Product Management during his nearly 12-year tenure. In 2020, Morey was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board, assisting the corporate community with identity security best practices. He originally joined BeyondTrust in 2012 as a part of the acquisition of eEye Digital Security, where he served as a Product Owner and Solutions Engineer, since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. Morey earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.