Protecting an organization’s most valuable asset, its data, is an issue that keeps IT security personnel and decision-makers up at night. Companies typically spend significant resources trying to keep information safe and away from the prying eyes of threat actors. In many cases, organizations have migrated the IT environment to the cloud in an attempt to provide more robust security.
Recent targeted attacks on data residing in the Microsoft Cloud demonstrate the importance of taking the necessary steps to protect information no matter where it is stored. Successful cyber attacks on Microsoft senior management and a similar attack on Hewlett Packard Enterprise (HPE) have focused attention on potential security vulnerabilities that have not been effectively addressed by the company. These vulnerabilities may also put your company’s sensitive and valuable information at risk.
We are going to take a close look at the details of these attacks and the group behind them. We’ll also discuss the kinds of cybersecurity measures a company can take to protect their data resources from being compromised and exfiltrated by malicious threat actors.
Targeted Attacks by Russian State-Sponsored Threat Actors
Microsoft’s corporate systems were breached in late November 2023 by a Russian nation-state group of threat actors going by the name Midnight Blizzard, Cosy Bear, APT29, or Nobelium. This hacker group is also responsible for the 2020 SolarWinds supply chain cyberattack that affected thousands of organizations. They are affiliated with Russia’s Foreign Intelligence Service (SVR) and are considered a major threat due to their attacks on Microsoft 365 environments.
The Midnight Blizzard attack was performed by compromising the victim’s IT infrastructure and embedding advanced persistent threats (APTs) which were used to locate viable targets and exfiltrate data. This type of autonomous malware makes use of AI and machine-learning technology to search for high-value targets or specific information resources that are of interest to the hacker group.
The Microsoft Attack
The attack on Microsoft executives was not discovered until January 12, 2024. Research conducted by the company’s security teams indicated the systems were compromised in late November. The Midnight Blizzard malware remained undetected for close to two months during which it stole emails and other documents from Microsoft executives.
Threat actors compromised a legacy, non-production test tenant account which was used as the platform for the attack. Credentials were hacked using a password spray attack, a kind of brute force method often employed as a way to gain first access to an environment. This kind of attack can easily be prevented by implementing multi-factor authentication to protect against compromised account credentials.
After gaining access to the environment, the hackers took control of a legacy test OAuth application and used it to create additional apps with the necessary privileges to access Microsoft corporate email accounts. The APT escaped detection by hiding on residential proxy networks using IP addresses that appeared to indicate legitimate users.
Attacking a non-production legacy account demonstrates the need to implement stringent security measures for every component in the IT environment. The security protecting the account was not updated to reflect Microsoft’s current authentication policies and guidelines. A hard lesson learned from this example is that organizations should continue to keep legacy accounts updated or sunset them when they are no longer needed or used. They may offer threat actors an easy way to gain access to your infrastructure.
The HPE Attack
Midnight Blizzard is also responsible for compromising Hewlett Packard Enterprise’s cloud-based email system. The exploit was revealed in a regulatory filing in December 2023 in which the company disclosed the group gained access to the systems starting in May 2023. Threat actors accessed and exfiltrated data from HPE mailboxes belonging to multiple business units. A limited number of SharePoint files were also compromised in May.
When made aware of the intrusion in June 2023, the company took containment and remediation activities to eliminate the threat from the environment. It was determined that though the breach had the potential to be damaging to the company, it did not materially affect the business or HPE’s GreenLake hybrid cloud service. The company chose to disclose details of the attack to comply with new SEC regulatory disclosure guidelines.
Defending Your Data Against This Specific Exploit
Microsoft has offered guidance on addressing this specific exploit and protecting data stored in its M365 cloud environment. The focus of this guidance is on how to protect IT resources from threat actors using malicious OAuth apps to conceal their identity so they can thwart efforts to eliminate them from the infrastructure.
- Stopping malicious use of OAuth applications requires organizations to audit privilege levels associated with all user and service identities to identify those with high privileges. Additional scrutiny should be given to unknown identities or those that are no longer in use. This review offers an opportunity to eliminate elevated privileges that can be deliberately or accidentally misused.
- Particular care should be given to Exchange Online identities with the ApplicationImpersonation privilege which lets a service impersonate a user. Incorrect configuration allows wide-ranging access to all mailboxes in an environment.
- Anomaly detection solutions should also be implemented to identify potentially malicious OAuth applications. Hijacked OAuth apps can provide hackers with elevated permissions with which to compromise mailboxes and data assets.
Let Us Help You Secure Your Valuable Data
The cyberattacks discussed above are just two of the many attacks attempted by threat actors every day. It can be challenging for businesses to deploy adequate resources to protect their valuable assets. VAST has your back with a wide range of security offerings that help you keep your business safe. Our security-focused services include the following cloud-centric solutions.
- Security Lifecycle Review – VAST’s expert team will review your IT security and identify potential vulnerabilities and risks. We help develop a strategy to protect your environment and maintain data safety.
- Cloud Access Security – We offer security solutions that go beyond traditional measures such as firewalls to protect the data in your mobile workforce. We help you understand where data resides and ensure it is only accessed by authorized users.
Give us a call and let us help you protect your cloud data from sophisticated threat actors.