Microsoft Shares New Guidance in Wake of 'Midnight Blizzard' Cyberattack
Threat actors created and abused OAuth apps to access Microsoft's corporate email environment and remain there for weeks.
January 26, 2024
Microsoft has released new guidance for organizations on how to protect against persistent nation-state attacks like the one disclosed a few days ago that infiltrated its own corporate email system.
A key focus of the guidance is on what organizations can do to protect against threat actors using malicious OAuth apps to hide their activity and maintain access to applications, despite efforts to boot them out.
The attack on Microsoft by Midnight Blizzard aka Cozy Bear — a threat group affiliated with Russia's Foreign Intelligence Service (SVR) — resulted in the compromise of email accounts belonging to several Microsoft employees, including senior leadership.
Over a period of several weeks beginning late November 2023, the attackers accessed Microsoft's corporate email accounts and exfiltrated emails and document attachments in an apparent bid to determine what information the company might have on Midnight Blizzard itself.
A recent SEC filing that surfaced this week showed that the threat actor, whom the US government has formally identified as the perpetrator of the SolarWinds hack, also breached Hewlett Packard Enterprise's (HPE) cloud-based email environment last May. The attacks are believed to be part of a broader and ongoing intelligence-gathering effort by SVR/Midnight Blizzard for potential future campaigns.
In its Jan. 19 blog initially disclosing the attack, Microsoft described Midnight Blizzard as having gained initial access to its environment via a legacy, non-production test account that the threat actor compromised via a password spray attack. Further investigation by the company —detailed in its latest blog this week — showed that Midnight Blizzard actors used a "vast number" of legitimate residential IP addresses to launch their password spray attacks against targeted accounts at Microsoft, one of which happened to be the test account they compromised. The threat actors use of the residential proxy infrastructure for its attacks helped obfuscate their activity and evade detection, Microsoft said.
Abusing OAuth Apps
Once the attacker gained initial access to the test account, they used it to identify and compromise a legacy test OAuth application with privileged access to Microsoft's corporate environment. Subsequently, "the actor created additional malicious OAuth applications," Microsoft said. "They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications."
The adversary used the legacy OAuth app they had compromised to grant themselves full access to Office 365 Exchange mailboxes, Microsoft said. "The misuse of OAuth also enables threat actors to maintain access to applications, even if they lose access to the initially compromised account," the company noted.
Tal Skverer, research team lead at Astrix Security, says Midnight Blizzard actors leveraged malicious OAuth tokens because they likely knew their access to the compromised account would be detected.
"Considering the scrutiny that user — human — accounts go through when it comes to their security, the success of the password spraying attack in this case was time-limited," he says. "So, while they had [access], they created OAuth apps and consented to them, generating non-expiring OAuth access tokens to the attackers."
Some of these permissions can persist even if an originally compromised account is disabled or deleted allowing attackers to retain their access even if they lose access via an initially compromised account, Skverer says.
Thwarting Malicious OAuth
Microsoft's Jan 25 blog offered guidance to organizations for mitigating risks related to the misuse of OAuth apps. The recommendations include the need for organizations to audit the current privilege levels associated with all identities — both user and service — and to focus on those with high privileges.
"Privilege should be scrutinized more closely if it belongs to an unknown identity, is attached to identities that are no longer in use, or is not fit for purpose," Microsoft said. When reviewing privileges, an administrator should keep in mind that users and services can often have privileges over and beyond what they require, the blog noted.
Organizations also should audit identities that have the ApplicationImpersonation privilege in Exchange Online that allows services to impersonate a user and execute the same operations that the user can, Microsoft advised.
"If misconfigured, or not scoped appropriately, these identities can have broad access to all mailboxes in an environment," the company warned.
Organizations should also consider using anomaly detection policies to identify malicious OAuth applications and conditional access application controls for users connecting from unmanaged services, Microsoft said.
How to Detect Midnight Blizzard
The blog also included detailed guidance on what to look for in log data to hunt and detect malicious activity such as that associated with Midnight Blizzard.
Skverer says posture management tools can help organizations inventory all non-human identities (NHIs) in their environment —especially those that pose the highest risk.
"Specifically, for the TTPS used by Midnight Blizzard, these tools would highlight an unused OAuth application, having over-permissive access to impersonate every user when authenticating to Office 365 Exchange," he says.
About the Author
You May Also Like