White on transparent

Russian state hackers exploited a weakness in the Microsoft password system.

Senior executives’ emails were accessed in a network hack that took two months to detect.

Bucharest, Romania – July 25, 2021: View of Microsoft Romania headquarters in City Gate Towers situated in Free Press Square, in Bucharest, Romania.

Microsoft claimed late Friday that senior executives, staff members in the security and legal departments, and other employees’ emails and documents were compromised by Russia-state hackers using a weak password to gain access to Microsoft’s corporate network.
This is at least the second time in as many years that a breach that might potentially hurt customers has resulted from a failure to follow basic security hygiene. Microsoft ascribed the attack to a hacker group it follows, Midnight Blizzard, which has received support from the Kremlin. The disclosure that was submitted to the Securities and Exchange Commission on Friday covered the following astounding paragraph:

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.

It wasn’t until January 12, precisely one week before Friday’s disclosure, that Microsoft discovered the problem. The possibility that the Russian hackers had unrestricted access to the accounts for up to two months is raised by Microsoft’s statement.
An interpretation of the 93 words mentioned earlier: Inside Microsoft’s network, a device was secured with a weak password and no two-factor authentication mechanism. By repeatedly trying passwords that were either widely used or previously breached, the Russian adversary group was able to guess them until they eventually found the correct one. The threat actor then gained access to the account, suggesting that 2FA was either disregarded or that the security was compromised in some other way.

Moreover, Midnight Blizzard managed to turn around and obtain access to some of the most senior and private personnel accounts in the company by manipulating this “legacy non-production test tenant account.”
According to what Columbia University computer science and affiliate law professor Steve Bellovin, who has decades of experience in cybersecurity, wrote on Mastodon:

A lot of fascinating implications here. A successful password spray attack suggests no 2FA and either reused or weak passwords. Access to email accounts belonging to “senior leadership… cybersecurity, and legal” teams using just the permissions of a “test tenant account” suggests that someone gave that test account amazing privileges. Why? Why wasn’t it removed when the test was over? I also note that it took Microsoft about seven weeks to detect the attack.

Although Microsoft claimed to be unaware of any proof that Midnight Blizzard had access to source code, production systems, customer environments, or artificial intelligence systems, some researchers expressed concerns, especially regarding the possibility that the Microsoft 365 service was or was vulnerable to similar attack methods. Kevin Beaumont, a longtime cybersecurity expert who once worked for Microsoft, was one of the researchers. He posted this on LinkedIn:

Microsoft staff use Microsoft 365 for email. SEC filings and blogs with no details on Friday night are great.. but they’re going to have to be followed with actual detail. The age of Microsoft doing tents, incident code words, CELA’ing things and pretending MSTIC sees everything (threat actors have Macs too) are over — they need to do radical technical and cultural transformation to retain trust.

The acronym CELA stands for Corporate, External, and Legal Affairs, a Microsoft division that assists with disclosure drafting. The Microsoft Threat Intelligence Center is referred to as MSTIC.
According to a Microsoft representative, the business declined to respond to inquiries about whether standard security procedures were followed.
The hack is similar to one that Microsoft experienced the previous year when hackers from China’s state, identified as Storm-0558, gained access to the company’s network. The team gained access to Exchange and Azure accounts over the course of the following month, many of which belonged to the US Departments of State and Commerce.

Microsoft reveals the reason behind the Azure breach at last: There was account hacking for an engineer.
According to what had been reported in September:

The corporate account of one of its engineers had been hacked. Storm-0558 then used the access to steal the key. Such keys, Microsoft said, are entrusted only to employees who have undergone a background check and then only when they are using dedicated workstations protected by multi-factor authentication using hardware token devices. To safeguard this dedicated environment, email, conferencing, web research, and other collaboration tools aren’t allowed because they provide the most common vectors for successful malware and phishing attacks. Further, this environment is segregated from the rest of Microsoft’s network, where workers have access to email and other types of tools.

Those safeguards broke down in April 2021, more than two years before Storm-0558 gained access to Microsoft’s network. When a workstation in the dedicated production environment crashed, Windows performed a standard “crash dump,” in which all data stored in memory is written to disk so engineers can later diagnose the cause. The crash dump was later moved into Microsoft’s debugging environment. The hack of a Microsoft engineer’s corporate account allowed Storm-0558 to access the crash dump and, with it, the expired Exchange signing key.

Normally, crash dumps strip out signing keys and similarly sensitive data. In this case, however, a previously unknown vulnerability known as a “race condition” prevented that mechanism from working properly.

Not to be outdone, Mandiant, the security company owned by Google, just had an X (previously Twitter) account hijacked. Mandiant subsequently stated that a “brute force” attack on the account password was the cause of the breach. Mandiant did not go into detail. According to the explanation, the account was not secured by 2FA, and the password was likewise weak.
Microsoft is moving more quickly to deploy a Secure Future Initiative, which it first unveiled last year, in response to the incident.

Officials from the company stated in Friday’s revelation that “we are shifting the balance we need to strike between security and business risk—the traditional sort of calculus is simply no longer sufficient.” This incident has made Microsoft realize how urgently things need to move even more quickly. Even in cases where these modifications could interfere with already-running business operations, we will take prompt action to extend our current security standards to older systems and internal business processes owned by Microsoft.”

Scroll to Top