What Happened?
The Microsoft Security team has disclosed a nation-state attack on January 12, 2024, where the malicious actors successfully gained a foothold in the corporation’s systems and accessed corporate inboxes using elevated privileges. Microsoft’s report confirmed that Midnight Blizzard (also known as NOBELIUM) was responsible for this incident. While Microsoft has detected and responded to these threats, their investigation into this incident is still ongoing.
Key Takeaways
Midnight Blizzard/NOBELIUM is a Russian advanced persistent threat (APT29), which previously launched the historic SolarWinds supply chain attack in December 2020.
According to Microsoft’s report, Midnight Blizzard used password spray attacks to compromise a legacy test tenant account without multi-factor authentication (MFA) enabled. The threat actors used their initial access to compromise a legacy OAuth test application with elevated privileges within Microsoft’s corporate environments. While the following findings were not published in Microsoft’s advisory, a report from researchers at Wiz proposes that an Entra ID user account in Microsoft’s corporate environments granted elevated access to this application, allowing the threat actors to create malicious OAuth applications and a new Entra ID admin account to access Microsoft’s corporate environment, and email accounts belonging to the company’s senior leadership and employees across the company.
During this incident, Midnight Blizzard successfully exfiltrated documents and other data from these accounts.
Why This Matters to MSPs
Midnight Blizzard’s tactics observed in this incident are not unique to this specific group of threat actors. Password spraying attacks, privilege escalation, and lateral movement are all increasingly common techniques that threat actors will use to target both MSPs and SMBs’ privileged accounts to achieve initial access, steal sensitive data, and in worst-case scenarios, deploy ransomware.
Since MSPs support a large number of SMBs and support their cybersecurity initiatives, they remain prime targets for threat actors to target, since by compromising one MSP, they can potentially target thousands of users across different organizations.
In response to these threats, MSPs must proactively adopt processes and technology to follow best practices designed to deter cyber criminals, such as Zero Standing Privilege, which addresses the risk that persistent administrator access poses, and a Moving Target Defense, which introduces unpredictability and makes it difficult for a threat actor to achieve their goals in the event they gain initial access. Several Privileged Access Management solutions will assist MSPs with solutions like password rotations or Just-in-Time access.
Next Steps
CyberQP’s security experts recommend that concerned MSPs and end users take the following actions to mitigate their risk:
- Use Microsoft Entra ID Protection’s detections to identify potential nation-state threat actor activity, such as the use of residential proxy network infrastructure.
- Specifically, Microsoft recommends checking for unfamiliar sign-in properties, password spray techniques, anomalous user activity consistent with Microsoft’s threat intelligence, and suspicious workload identity logins.
- Consult your XDR or SIEM partner for detections that can help you identify anomalous or malicious activity related to these threats.
- Microsoft Defender XDR users can use the hunting queries linked here.
- Researchers from Wiz have also compiled several hunting queries to identify anomalous activity involving Entra ID OAuth applications.
UPDATE (April 24th, 2024): According to a TechCrunch report, Microsoft also exposed employee credentials on a server that they have since locked down.
Thanks for reading MSP Incident Insights. If you’d like to sign up to receive these threat briefings in your inbox, you can register for our email newsletter.