Microsoft Provides More Details About ‘Midnight Blizzard’ Attacks


Key Takeaways:

  • Microsoft has recently disclosed that the Russian state-sponsored hacking group, Midnight Blizzard, employed sophisticated tactics to breach its corporate systems.
  • The attackers created malicious OAuth applications, manipulated user accounts, and utilized residential proxy networks to obfuscate their activities.
  • Microsoft recommends organizations to adopt robust security measures, including auditing privileges and enforcing controls to mitigate the risks posed by state-sponsored hacking groups.

Microsoft has recently published an initial analysis of the cyber-attack that was carried out by Russian state-sponsored hackers in late November of 2023. The company has raised concerns that the same threat actor is currently targeting other organizations and has provided detailed guidance to help organizations strengthen their defenses.

Last week, Microsoft disclosed that a Russian state-sponsored hacking group called Midnight Blizzard (aka Cozy Bear) used password spray attacks to breach its corporate systems. The attackers compromised the email accounts of several senior executives and employees working in the cybersecurity, legal, and other teams.

In a recent blog post, Microsoft has shared further information about the intrusion into its corporate systems. The company says that the hackers managed to gain access by exploiting a legacy test OAuth application that had privileged access to Microsoft’s corporate IT environment. OAuth is a popular open standard for token-based authentication, which allows users to sign into apps and services without a password. The attackers also created additional malicious OAuth applications as part of their attack.

Additionally, Midnight Blizzard created a new user account to grant their OAuth apps access to the internal corporate environment. The threat actors then gave them complete access to Office 365 Exchange mailboxes. They were able to download some emails and other files from corporate inboxes to determine what information Microsoft might have about their activities.

“As part of their multiple attempts to obfuscate the source of their attack, Midnight Blizzard used residential proxy networks, routing their traffic through a vast number of IP addresses that are also used by legitimate users, to interact with the compromised tenant and, subsequently, with Exchange Online,” Microsoft explained.

How to protect organizations against Midnight Blizzard attacks

Microsoft has recently issued new guidelines to assist IT administrators in safeguarding themselves against malicious OAuth attacks. It’s highly recommended to audit the current privileges associated with all user and service identities within their environments. In particular, they should pay attention to unidentified identities and applications with high privileges.

Furthermore, Microsoft advises auditing identities that have ApplicationImpersonation privileges in Exchange Online. It’s important to note that misconfigured identities enable hackers to impersonate users and gain unauthorized access to all mailboxes in enterprise environments. Microsoft says organizations should use anomaly detection policies to detect malicious OAuth apps and enforce conditional access app control for users connecting from unmanaged devices.

Last week, Hewlett Packard Enterprise (HPE) announced that Midnight Blizzard had hacked its cloud-based email system. This hack occurred in May 2023 and resulted in data being stolen from several HPE mailboxes. HPE also disclosed that this incident is linked to a previous hacking attempt that allowed the hackers to access a limited number of SharePoint files from HPE’s network.