In the wake of a recent cyberattack known as the ‘Midnight Blizzard,’ Microsoft has released new guidance for organizations to protect against persistent nation-state attacks. The attack, attributed to a threat group affiliated with Russia’s Foreign Intelligence Service (SVR), resulted in the compromise of email accounts belonging to several Microsoft employees, including senior leadership. This blog will provide an overview of the attack and delve into the guidance provided by Microsoft to mitigate similar threats.
Understanding the Attack
The ‘Midnight Blizzard’ attack targeted Microsoft’s corporate email system and involved the use of malicious OAuth apps to hide the threat actors’ activity and maintain access to applications. The threat actors gained initial access to a legacy, non-production test account through a password spray attack. They then compromised a legacy test OAuth application with privileged access to Microsoft’s corporate environment. The attackers created additional malicious OAuth applications and granted themselves full access to Office 365 Exchange mailboxes. Their use of residential proxy infrastructure helped obfuscate their activity and evade detection.
Mitigating Risks – Microsoft’s Guidance
Microsoft’s new guidance emphasizes the need to protect against the misuse of OAuth apps. Some of the key recommendations include:
- Auditing Privileges: Organizations should conduct audits of privilege levels associated with all user and service identities, paying close attention to those with high privileges. Privileges that belong to unknown identities, are no longer in use, or are unnecessary should be scrutinized.
- Reviewing ApplicationImpersonation Privilege: Organizations should review identities that have the ApplicationImpersonation privilege in Exchange Online, as misconfigurations or inappropriate scoping can result in broad access to all mailboxes in the environment.
- Anomaly Detection and Conditional Access Controls: Implementing anomaly detection policies can help identify malicious OAuth applications. Additionally, organizations should consider using conditional access application controls to restrict access from unmanaged services.
Detecting Midnight Blizzard – Log Data Analysis
Microsoft’s blog also provides detailed guidance on detecting malicious activity associated with the ‘Midnight Blizzard’ attack. Posture management tools can be utilized to inventory all non-human identities in the environment, particularly those with high risk. Specific indicators include unused OAuth applications with over-permissive access to impersonate every user when authenticating to Office 365 Exchange.
Conclusion
The ‘Midnight Blizzard’ cyberattack serves as a stark reminder of the persistent threat posed by nation-state actors. Microsoft’s new guidance offers valuable insights into protecting against such attacks by focusing on mitigating the risks associated with malicious OAuth apps. By conducting privilege audits, reviewing application impersonation privileges, and leveraging anomaly detection policies, organizations can enhance their security posture and defend against similar attacks. Staying vigilant and proactive in implementing the recommended measures is crucial in today’s evolving threat landscape.
About the Author:
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He has covered various technology topics, including information security and data privacy. Jai’s expertise in cybersecurity and his commitment to providing insightful analysis makes him a trusted source in the industry.
Disclaimer: This blog is based on information from Dark Reading.